Skip to content

Add explicit permissions to GitHub Actions workflows #1270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
srprash wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add explicit permissions to GitHub Actions workflows #1270

srprash wants to merge 1 commit into from
+6 −0

Conversation

@srprash
Copy link
Contributor

@srprash srprash commented Dec 19, 2025
edited
Loading

Summary

This PR adds explicit permission declarations to two GitHub Actions workflows to follow security best practices and the principle of least privilege.

Changes

1. .github/workflows/codeql-analysis.yml

  • Added security-events: write permission
  • This permission is required for CodeQL to publish security scan results to GitHub's security dashboard

2. .github/workflows/stale-bot.yml

  • Added issues: write permission
  • Added pull-requests: write permission
  • These permissions make explicit what the workflow needs to mark and close stale issues/PRs

Why these changes?

  1. Security best practice: Explicitly declaring permissions makes it clear what access each workflow requires
  2. Principle of least privilege: Instead of relying on default GitHub token permissions, we declare only what's needed
  3. Auditability: Makes it easier to review and audit workflow permissions across the repository
  4. Consistency: Aligns with other workflows in the repository that already declare explicit permissions

Testing

  • The changes are declarative and don't modify workflow logic
  • CodeQL workflow will continue to function with the added permission
  • Stale bot workflow will continue to function with the added permissions

@srprash
Add explicit permissions to workflow files
2aa7398 
- Add security-events:write permission to codeql-analysis.yml
- Add issues:write and pull-requests:write permissions to stale-bot.yml

These explicit permission declarations follow the principle of least
privilege and make the required permissions clear for security auditing.
@srprash srprash requested a review from a team as a code owner December 19, 2025 22:23
@srprash srprash added the skip changelog doesn't need a CHANGELOG entry label Dec 19, 2025
@srprash srprash changed the title Add explicit permissions to GitHub Actions workflows chore: Add explicit permissions to GitHub Actions workflows Dec 19, 2025
@srprash srprash changed the title chore: Add explicit permissions to GitHub Actions workflows Add explicit permissions to GitHub Actions workflows Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip changelog doesn't need a CHANGELOG entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@srprash