Skip to content

ci(security): minimize workflow token permissions (Scorecard)#165

Merged
shudonglin merged 1 commit into
mainfrom
fix/scorecard-workflow-permissions
Jul 5, 2026
Merged

ci(security): minimize workflow token permissions (Scorecard)#165
shudonglin merged 1 commit into
mainfrom
fix/scorecard-workflow-permissions

Conversation

@shudonglin

Copy link
Copy Markdown

Summary

Reduces contents/packages write permissions flagged by OpenSSF Scorecard's
TokenPermissions check, on jobs that never actually execute on this fork
(guarded by if: github.repository == 'maximhq/bifrost' or otherwise
upstream-only). Zero functional impact on the fork — these jobs skip either way.

  • release-pipeline.yml: docker-build-amd64, docker-build-arm64,
    docker-manifest, docker-build-ubi9-amd64, docker-build-ubi9-arm64,
    docker-manifest-ubi9, push-mintlify-changelog — all guarded to
    maximhq/bifrost only; dropped to contents: read and removed packages: write.
  • helm-release.yml: top-level permissions dropped to contents: read
    (job already sets its own). Removed unused packages: write from job
    release (only used by continue-on-error, already-nonfunctional GHCR/Docker
    Hub OCI push steps). Left contents: write on job release in place — this
    job has no repository guard and does run on the fork (creates a real
    GitHub Release + pushes to gh-pages on push to main).
  • openapi-bundle.yml: top-level permissions dropped to contents: read
    (only job is guarded to maximhq/bifrost).
  • release-bifrost-migration-cli.yml: release-bifrost-migration-cli job
    dropped to contents: read (guarded to maximhq/bifrost).

Left unchanged: 2 npm install -g newman@6.2.1 newman-reporter-htmlextra@1.23.1
lines (PinnedDependencies) — these are legitimate runtime tool installs, not
practical to hash-pin without vendoring; recommend dismissing those 2 alerts.

Alert disposition (17 flagged)

# Location Disposition
1 release-pipeline.yml:1805 (docker-build-amd64 contents) FIXED → read
2 release-pipeline.yml:1806 (docker-build-amd64 packages) FIXED → removed
3 release-pipeline.yml:1918 (docker-build-arm64 contents) FIXED → read
4 release-pipeline.yml:1919 (docker-build-arm64 packages) FIXED → removed
5 release-pipeline.yml:2015 (docker-manifest packages) FIXED → removed
6 release-pipeline.yml:2077 (docker-build-ubi9-amd64 contents) FIXED → read
7 release-pipeline.yml:2078 (docker-build-ubi9-amd64 packages) FIXED → removed
8 release-pipeline.yml:2194 (docker-build-ubi9-arm64 contents) FIXED → read
9 release-pipeline.yml:2195 (docker-build-ubi9-arm64 packages) FIXED → removed
10 release-pipeline.yml:2295 (docker-manifest-ubi9 packages) FIXED → removed
11 release-pipeline.yml:2357 (push-mintlify-changelog contents) FIXED → read
12 helm-release.yml:19 (release job contents) MUST-DISMISS — job has no repo guard, genuinely runs on the fork (gh release create + gh-pages push)
13 helm-release.yml:20 (release job packages) FIXED → removed (only used by non-functional continue-on-error GHCR/Docker Hub push steps)
14 openapi-bundle.yml:12 (top-level contents) FIXED → read (sole job guarded to maximhq/bifrost)
15 release-bifrost-migration-cli.yml:86 (job contents) FIXED → read (guarded to maximhq/bifrost)
16 release-pipeline.yml ~1013 (npm install newman, unpinned) MUST-DISMISS — runtime tool install, impractical to hash-pin
17 release-pipeline.yml ~1134 (npm install newman, unpinned) MUST-DISMISS — runtime tool install, impractical to hash-pin

13 of 17 alerts fully fixed; 4 recorded as must-dismiss with reasons above
(1 genuinely-needed-on-fork write permission, 2 npm pin issues, plus the
already-covered helm-release contents:write).

Test plan

  • python3 -c "import yaml; ..." — all 4 edited workflow files parse as valid YAML
  • actionlint on all 4 files — no new errors introduced (pre-existing shellcheck info/style notices only, unrelated to permissions changes)
  • git diff --stat reviewed — surgical, permissions-only changes
  • Scorecard re-scan on merge to confirm alert count drops

🤖 Generated with Claude Code

https://claude.ai/code/session_01KaMwdJBpdWtWo7xxmehHrr

@shudonglin shudonglin merged commit 2a854cb into main Jul 5, 2026
32 of 33 checks passed
@shudonglin shudonglin deleted the fix/scorecard-workflow-permissions branch July 5, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant