Description
Our GitHub Actions workflows (pr.yaml, ci.yaml, and their associated job files) currently do not explicitly define permissions for the GITHUB_TOKEN. This has been flagged by CodeQL under the rule actions/missing-workflow-permissions, as workflows without explicit permissions default to elevated repository permissions.
To adhere to the principle of least privilege and eliminate these code scanning alerts, we need to explicitly define a minimal permissions block in each workflow file.
Example Alert
Affected Files
- .github/workflows/pr.yaml
- .github/workflows/ci.yaml
- .github/workflows/test-job.yaml
- .github/workflows/typecheck-job.yaml
- .github/workflows/lint-job.yaml
- .github/workflows/trivy-scan-job.yml
Acceptance Criteria
References
GitHub Docs: Workflow permissions for GITHUB_TOKEN
Description
Our GitHub Actions workflows (pr.yaml, ci.yaml, and their associated job files) currently do not explicitly define permissions for the GITHUB_TOKEN. This has been flagged by CodeQL under the rule actions/missing-workflow-permissions, as workflows without explicit permissions default to elevated repository permissions.
To adhere to the principle of least privilege and eliminate these code scanning alerts, we need to explicitly define a minimal permissions block in each workflow file.
Example Alert
Affected Files
Acceptance Criteria
When the workflows are updated with a permissions block
Then the GITHUB_TOKEN permissions should be explicitly set to { contents: read } (or more specific values if required by the job)
And all related CodeQL alerts for actions/missing-workflow-permissions should be resolved
References
GitHub Docs: Workflow permissions for GITHUB_TOKEN