Minimally scope permissions in GitHub Actions workflows#49
Draft
desrosj wants to merge 2 commits into
Draft
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Pull request overview
Hardens GitHub Actions workflows by applying the principle of least privilege (top-level permissions: {} and job-scoped permissions) and adding per-job timeout-minutes to bound runtime.
Changes:
- Add top-level
permissions: {}to all three workflows and explicit job-levelpermissionsfor every job. - Add
timeout-minutesto every job (10/30/45/60 minutes depending on workload). - For brand-plugin-test jobs that call a reusable workflow, set
contents: readto mirror the downstream workflow's scope.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/satis-webhook.yml | Adds top-level permissions: {}, empty job-level permissions, and a 30-minute timeout for the webhook job. |
| .github/workflows/codecoverage-main.yml | Adds top-level permissions: {}, scopes the codecoverage job to contents: write + pull-requests: write, and adds a 60-minute timeout. |
| .github/workflows/brand-plugin-test.yml | Adds top-level permissions: {}, scopes each job (setup + 5 brand jobs), and adds timeout-minutes to each — including on jobs that use a reusable workflow via uses:, which is not a supported key in that context. |
Comments suppressed due to low confidence (4)
.github/workflows/brand-plugin-test.yml:51
timeout-minutesis not supported on a job that usesuses:to call a reusable workflow. This line will cause workflow validation to fail. Remove it (or set the timeout inside the reusable workflow).
timeout-minutes: 45
.github/workflows/brand-plugin-test.yml:64
timeout-minutesis not supported on a job that calls a reusable workflow viauses:. This will cause workflow validation to fail.
timeout-minutes: 45
.github/workflows/brand-plugin-test.yml:77
timeout-minutesis not supported on a job that calls a reusable workflow viauses:. This will cause workflow validation to fail.
timeout-minutes: 45
.github/workflows/brand-plugin-test.yml:90
timeout-minutesis not supported on a job that calls a reusable workflow viauses:. This will cause workflow validation to fail.
timeout-minutes: 45
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main | ||
| permissions: | ||
| contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos | ||
| timeout-minutes: 45 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This updates the GitHub Actions workflow files to:
Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".
For more information, see PRESS11-470.
References
Use of AI
Cursor was used with (Claude Opus 4.7 and Composer 2.0 at varying points) to analyze the repository and make the initial changes.
When this PR is marked "ready for review" it means that I have manually reviewed all permissions and timeouts that were changed and made any necessary adjustments.
As a part of the analysis, the following summary was created:
Status
brand-plugin-test.yml,codecoverage-main.yml,satis-webhook.yml)add/scoped-workflow-permissions(created)Top-level
permissions: {}permissions: {}directive (added in this run):brand-plugin-test.ymlpermissions: {}directive (added in this run):codecoverage-main.ymlpermissions: {}directive (added in this run):satis-webhook.ymlJob-level
permissions:additionspermissions:directive{}[3]permissions:directivecontents: write,pull-requests: write[3]permissions:directive{}[3]permissions:directivecontents: read[2]permissions:directivecontents: read[2]permissions:directivecontents: read[2]permissions:directivecontents: read[2]permissions:directivecontents: read[2]Permissions corrections (previously incorrect)
No pre-existing configured
permissions:were identified as incorrect.timeout-minutesadditions30601045wp-env, and Cypress suites, which can be slow on cold caches.45module-plugin-testreusable workflow workload).45module-plugin-testreusable workflow workload).45module-plugin-testreusable workflow workload).45module-plugin-testreusable workflow workload).Notes / blockers
newfold-labs/workflows/.github/workflows/module-plugin-test.yml@mainalready scopes its inner job tocontents: read; caller jobs mirror that ceiling so the granting token cannot elevate beyond what the reusable workflow declares. Confirm in live runs whethercontents: readcontinues to suffice for artifacts/caching behaviour under your organization’s Actions defaults (actions/cache/upload-artifact); if workflows fail post-hardening, updatemodule-plugin-test.ymlupstream to declare any additional minimal scopes rather than widening callers alone.