From 066976f1c3e6c97d3d3bd09d0c6dbf4383465025 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Mon, 18 May 2026 13:47:50 +0200 Subject: [PATCH] Apply least-privilege permissions to CI workflows Add explicit `permissions` blocks to workflows that were missing them (code-quality, unit-tests) and narrow the scope of release.yml by moving its `contents: write` from workflow level to job level. GitHub Actions grants the GITHUB_TOKEN a default permission set that varies by repository visibility. For public repositories GitHub defaults to read-only, but this is a repository-level setting that an admin can change at any time. Explicit permissions blocks make the workflow self-documenting and immune to that drift: - If an admin later broadens the org or repo default, these workflows still only get the permissions they declare. - A compromised or malicious step in a job cannot escalate beyond the declared scope. For read-only workflows like linting and unit tests, this means a supply-chain attack on a third-party action cannot push code, create releases, or modify repository settings. - Moving release.yml's `contents: write` from workflow level to job level ensures that if new jobs are added to the workflow later, they don't silently inherit write access they don't need. This follows the GitHub-recommended practice of always setting the minimum required permissions per job rather than relying on defaults. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/code-quality.yml | 3 +++ .github/workflows/release.yml | 5 ++--- .github/workflows/unit-tests.yml | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index 07f3d8b..04b1aee 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: code-quality: name: Code Quality Checks diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31a9298..4b44517 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,13 +5,12 @@ on: tags: - 'v[0-9]+.[0-9]+.[0-9]+*' -permissions: - contents: write - jobs: build-and-release: name: Build and Release Binaries runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout code diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index a3be2ce..3526570 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -3,6 +3,9 @@ name: Unit Tests on: workflow_call: +permissions: + contents: read + jobs: unit-tests: runs-on: ubuntu-latest