From e487b07fe85023f37962205018c5bf8a12de1dca Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Sun, 26 Apr 2026 17:41:11 +0200 Subject: [PATCH 1/2] fix(ci): remove global env block from scorecard workflow The scorecard-action rejects workflows with global `env` or `defaults` blocks as a security measure. The `ARCHGATE_TELEMETRY` var is not needed in this workflow since no archgate CLI runs here. --- .github/workflows/scorecard.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b30b6bc1..79387bad 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,9 +11,6 @@ on: permissions: read-all -env: - ARCHGATE_TELEMETRY: "0" - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From 35855fa06b2e1f7d3e8d68fc7820d84a0249980d Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Sun, 26 Apr 2026 17:46:44 +0200 Subject: [PATCH 2/2] ci: scope token permissions to job-level and add CODEOWNERS - release-binaries.yml: move `contents: write` to job-level - release.yml: move all permissions to job-level, scoped per job: - check: `contents: read` (uses app token for writes) - pull-request: `actions/contents/pull-requests/statuses: write` - release: `contents: write`, `id-token: write` (npm provenance) - Add CODEOWNERS for Branch-Protection codeowner review check Improves OpenSSF Scorecard Token-Permissions and Branch-Protection. --- .github/CODEOWNERS | 2 ++ .github/workflows/release-binaries.yml | 5 +++-- .github/workflows/release.yml | 17 +++++++++++------ 3 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..5f055349 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# Default owners for everything in the repo +* @rhuanbarreto diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index d6fbad55..41b84ddd 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -9,8 +9,7 @@ on: description: "Release tag to build (e.g. v0.1.0)" required: true -permissions: - contents: write +permissions: {} env: ARCHGATE_TELEMETRY: "0" @@ -19,6 +18,8 @@ jobs: build: name: Build ${{ matrix.artifact }} timeout-minutes: 15 + permissions: + contents: write strategy: fail-fast: false matrix: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c203741b..7165062f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,12 +11,7 @@ concurrency: group: release-${{ github.ref_name }} cancel-in-progress: false -permissions: - actions: write - contents: write - id-token: write - pull-requests: write - statuses: write +permissions: {} env: ARCHGATE_TELEMETRY: "0" @@ -26,6 +21,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 name: Context check + permissions: + contents: read outputs: continue: ${{ steps.check.outputs.continue }} workflow: ${{ steps.check.outputs.workflow }} @@ -64,6 +61,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 name: Pull request + permissions: + actions: write + contents: write + pull-requests: write + statuses: write needs: check if: needs.check.outputs.workflow == 'pull-request' steps: @@ -114,6 +116,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 name: Release + permissions: + contents: write + id-token: write needs: check if: needs.check.outputs.workflow == 'release' steps: