From 7c12be1be8ba75c870149a22d644dfbf27cf3f3d Mon Sep 17 00:00:00 2001 From: Zeeshan Ahmed Date: Mon, 30 Mar 2026 14:04:32 -0400 Subject: [PATCH] fix: add explicit permissions to all GitHub Actions workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add top-level permissions blocks to restrict GITHUB_TOKEN scope, resolving 24 CodeQL code-scanning alerts (actions/missing-workflow-permissions). Without explicit permissions, workflows get the repo's default token permissions, which is typically overly broad. This follows the principle of least privilege — if a compromised action runs, it only has the minimum access needed. - action-ci.yml: contents: read - pr.yml: contents: read - pre-commit.yml: contents: read - release.yml: contents: read (jobs needing write already have explicit blocks) - security_audit.yml: contents: read, security-events: write - typescript_library.yml: contents: read --- .github/workflows/action-ci.yml | 2 ++ .github/workflows/pr.yml | 3 ++- .github/workflows/pre-commit.yml | 2 ++ .github/workflows/release.yml | 3 ++- .github/workflows/security_audit.yml | 3 ++- .github/workflows/typescript_library.yml | 2 ++ 6 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/action-ci.yml b/.github/workflows/action-ci.yml index 997fc2dc..fd8edfb1 100644 --- a/.github/workflows/action-ci.yml +++ b/.github/workflows/action-ci.yml @@ -8,6 +8,8 @@ on: paths: - "action/**" - "action.yml" +permissions: + contents: read jobs: run-unit-tests: runs-on: ubuntu-latest diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 10f92a3c..352079c1 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -13,7 +13,8 @@ on: env: CARGO_TERM_COLOR: always FUZZ_TIME: 420 - +permissions: + contents: read jobs: build: name: Build all crates & run unit tests diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 69b60901..c78651da 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -14,6 +14,8 @@ on: - .github/workflows/pre-commit.yml - .pre-commit-config.yaml - .pre-commit-hooks.yaml +permissions: + contents: read jobs: run-unit-tests-and-lint: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index de0c44a9..735deea0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,8 @@ on: default: false env: CARGO_TERM_COLOR: always - +permissions: + contents: read jobs: # --------------------------------------------------------------------------- # 1. Validate input & run tests diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml index e2b8fa05..0205a7c7 100644 --- a/.github/workflows/security_audit.yml +++ b/.github/workflows/security_audit.yml @@ -2,7 +2,8 @@ name: Security audit on: schedule: - cron: "0 17 * * *" - +permissions: + contents: read jobs: audit: if: github.repository == 'aws-cloudformation/cloudformation-guard' diff --git a/.github/workflows/typescript_library.yml b/.github/workflows/typescript_library.yml index 3bb75502..a72bd82f 100644 --- a/.github/workflows/typescript_library.yml +++ b/.github/workflows/typescript_library.yml @@ -6,6 +6,8 @@ on: pull_request: paths: - 'guard/ts-lib/**' +permissions: + contents: read jobs: run-unit-tests-windows: runs-on: windows-latest