Tighten GHA permissions #7959
Tighten GHA permissions #7959
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7959 +/- ##
=======================================
Coverage 91.49% 91.49%
=======================================
Files 116 116
Lines 18962 18962
=======================================
Hits 17349 17349
Misses 1613 1613 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull Request Overview
This PR tightens GitHub Actions security by implementing the principle of least privilege for workflow permissions. The changes follow a "deny-by-default" approach by setting top-level permissions: {} and then explicitly granting only the required permissions at the job level.
Key changes:
- Added
permissions: {}at the workflow level for all workflow files - Removed unnecessary
contents: readpermission from the devcontainer-docker-image.yml job - Refactored zizmor workflow to use the official zizmor-action instead of manual uvx execution
- Added cooldown configuration to dependabot to reduce update frequency
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/zizmor.yml | Refactored to use zizmor-action and tightened permissions with workflow-level permissions: {} |
| .github/workflows/tests.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/slash_dispatch.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/release.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/publish-release-notes-to-discourse.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/pr-auto-label.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/mypy.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/docker-image.yml | Added workflow-level permissions: {} to enforce least privilege |
| .github/workflows/devcontainer-docker-image.yml | Added workflow-level permissions: {} and removed unnecessary contents: read from job level |
| .github/dependabot.yml | Added 7-day cooldown to reduce dependabot update frequency |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # Set permissions for GitHub token | ||
| # <https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github> | ||
| permissions: |
There was a problem hiding this comment.
The job uses actions/checkout (line 27) which requires contents: read permission. Without this permission, the checkout action may fail. Even though actions/checkout can work with default permissions in some contexts, explicitly removing contents: read when the workflow uses checkout is problematic. The workflow-level permissions: {} denies all permissions, so the job needs explicit contents: read to checkout the repository.
| permissions: | |
| permissions: | |
| contents: read |
williambdean
left a comment
williambdean
left a comment
There was a problem hiding this comment.
Looks good from my side
2 participants
Description
Related Issue
Checklist
Type of change