Skip to content

Tighten GHA permissions #7959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 15, 2025
+27 −18
Merged

Tighten GHA permissions #7959

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fea9125
Add dependabot cooldown to avoid bleeding edge
maresb Nov 12, 2025
c272adc
Restrict workflow-level permissions in all workflows
maresb Nov 12, 2025
1aacabc
Switch Zizmor workflow to use official Action
maresb Nov 12, 2025
d22fc2d
Tighten a few permissions
maresb Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ updates:
labels:
- "Github CI/CD"
- "no releasenotes"
cooldown:
default-days: 7
3 changes: 2 additions & 1 deletion .github/workflows/devcontainer-docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: devcontainer-docker-image

permissions: {}

on:
workflow_dispatch:
schedule:
Expand All @@ -18,7 +20,6 @@ jobs:
# Set permissions for GitHub token
# <https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github>
permissions:
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job uses actions/checkout (line 27) which requires contents: read permission. Without this permission, the checkout action may fail. Even though actions/checkout can work with default permissions in some contexts, explicitly removing contents: read when the workflow uses checkout is problematic. The workflow-level permissions: {} denies all permissions, so the job needs explicit contents: read to checkout the repository.

Suggested change
permissions:
permissions:
contents: read

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@maresb maresb Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearly incorrect.

contents: read
packages: write

steps:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: docker-image

permissions: {}

on:
release:
types:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/mypy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: mypy

permissions: {}

on:
pull_request:
push:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pr-auto-label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
name: "Pull Request Labeler"

permissions: {}

on:
# The labeler doesn't execute any contributed code, so it should be fairly safe.
- pull_request_target # zizmor: ignore[dangerous-triggers]
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/publish-release-notes-to-discourse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: Publish Release Notes to Discourse

permissions: {}

on:
release:
types: [published]
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: release-pipeline

permissions: {}

on:
push:
branches:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/slash_dispatch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
name: Slash Command Dispatch

permissions: {}

on:
issue_comment:
types: [created]
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: tests

permissions: {}

on:
pull_request:
push:
Expand Down
24 changes: 7 additions & 17 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,26 @@
# https://github.com/woodruffw/zizmor
name: zizmor GHA analysis
# Source: <https://github.com/zizmorcore/zizmor-action>
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

permissions: {}

jobs:
zizmor:
name: zizmor latest via PyPI
runs-on: ubuntu-latest
permissions:
security-events: write
# contents: read # only needed for private repos
# actions: read # only needed for private repos
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0

- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: zizmor
uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0