Skip to content

PDP-1182 SECCMP-1797: Add top-level permissions and fix unnecessary write permission#1931

Merged
rjrudin merged 1 commit intodevelopfrom
fix/SECCMP-1797-harden-permissions
Apr 8, 2026
Merged

PDP-1182 SECCMP-1797: Add top-level permissions and fix unnecessary write permission#1931
rjrudin merged 1 commit intodevelopfrom
fix/SECCMP-1797-harden-permissions

Conversation

@GAdityaVarma
Copy link
Copy Markdown
Contributor

@GAdityaVarma GAdityaVarma commented Apr 8, 2026

SECCMP-1797: Add top-level permissions and fix write permission

Two changes:

  1. Adds permissions: contents: read at the workflow level to restrict the default GITHUB_TOKEN scope
  2. Fixes contents: write to contents: read on the copyright-validation job (write is unnecessary for reading files and posting PR comments)

Without top-level permissions, all jobs inherit the full pull_request_target write token.

Ref: Preventing pwn requests

@GAdityaVarma
SECCMP-1797: Harden permissions - add top-level read, fix contents: w…
9ed32e2 
…rite

Adds top-level permissions: contents: read to restrict the default
GITHUB_TOKEN. Also fixes the previous contents: write on the
copyright-validation job to contents: read.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.
Copilot AI review requested due to automatic review settings April 8, 2026 14:01
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens GitHub Actions GITHUB_TOKEN permissions for the pull_request_target-based PR workflow to reduce default write access and align with GitHub Actions hardening guidance.

Changes:

  • Adds workflow-level permissions: contents: read to restrict the default token scope for all jobs.
  • Reduces the copyright-validation job’s contents permission from write to read.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@GAdityaVarma GAdityaVarma changed the title SECCMP-1797: Add top-level permissions and fix unnecessary write permission PDP-1182 SECCMP-1797: Add top-level permissions and fix unnecessary write permission Apr 8, 2026
@rjrudin rjrudin changed the base branch from master to develop April 8, 2026 14:13
@rjrudin rjrudin merged commit 70873f4 into develop Apr 8, 2026
11 of 14 checks passed
@rjrudin rjrudin deleted the fix/SECCMP-1797-harden-permissions branch April 8, 2026 14:14
@SameeraPriyathamTadikonda
Copy link
Copy Markdown
Contributor

SameeraPriyathamTadikonda commented Apr 8, 2026

@GAdityaVarma Let's remove this workflow from the repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rjrudin rjrudin rjrudin approved these changes

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GAdityaVarma @SameeraPriyathamTadikonda @rjrudin