chore(ci): least privilege workflow permissions#570
Merged
DerekRoberts merged 10 commits intomainfrom Mar 3, 2026
Merged
Conversation
…t-openshift example
There was a problem hiding this comment.
Pull request overview
This PR attempts to enforce least-privilege GitHub Actions permissions by adding explicit permissions blocks to multiple workflows.
Changes:
- Adds workflow-level
permissions: contents: readto several workflows. - Adds additional
permissions: {}entries near the end of multiple workflow files.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/scheduled.yml | Adds workflow permissions; also introduces a second permissions key at EOF. |
| .github/workflows/merge.yml | Adds workflow permissions; inserts a top-level permissions: {} inside the jobs: section. |
| .github/workflows/analysis.yml | Adds workflow permissions; also adds a second permissions key at EOF. |
| .github/workflows/.tests.yml | Adds workflow permissions; also adds a second permissions key at EOF. |
| .github/workflows/.deploy.yml | Adds workflow permissions but breaks workflow_call.inputs indentation; also adds a second permissions key at EOF. |
Comments suppressed due to low confidence (5)
.github/workflows/analysis.yml:43
permissions: {}at the end of the workflow introduces a duplicate top-levelpermissionskey which overrides the earliercontents: readsetting. This can leave the workflow with no token permissions and breakactions/checkout/ SARIF upload. Remove this trailingpermissions: {}and use job-levelpermissionsonly where overrides are needed.
.github/workflows/.deploy.yml:123permissions: {}at the end of the file introduces a second top-levelpermissionskey, overriding the earliercontents: readpermission (and in this file’s case, it also appears after thejobsdefinition). Remove this trailing key; use job-levelpermissionsonly where an override is required.
.github/workflows/scheduled.yml:142permissions: {}at the end of the workflow creates a second top-levelpermissionskey. In YAML the last key wins, so this will overridecontents: readand can leave the workflow with no token permissions (breakingactions/checkoutand other API calls). Remove this trailingpermissions: {}; if you need per-job overrides, putpermissionsblocks under the specific jobs instead.
.github/workflows/.tests.yml:36permissions: {}at the end of the workflow creates a second top-levelpermissionskey. In YAML this will override the earliercontents: readpermission and can breakactions/checkout(and any API calls) by leaving the token with no scopes. Remove this trailingpermissions: {}; if a specific job needs different permissions, set them under that job.
.github/workflows/.deploy.yml:35- The new workflow-level
permissionsblock is inserted before the rest of theworkflow_call.inputsentries, but the remaining inputs (directory,timeout-minutes, etc.) are still indented as if they are underon.workflow_call.inputs. This makes the YAML invalid and/or removes those inputs from the reusable workflow contract. Movepermissionsto a valid top-level position (afteron:) and fix indentation so all inputs remain underon.workflow_call.inputs.
permissions: {}
### Usually a bad idea / not recommended
directory:
description: "Chart directory"
default: "charts/${{ github.event.repository.name }}"
required: false
type: string
timeout-minutes:
description: "Timeout minutes"
…openshift example
…r quickstart-openshift
…top-level and correct job-level permissions
…only where elevation needed
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
.github/workflows/merge.yml:60
- Because the workflow sets
permissions: {}at the top level, thedeploys/tests/deploys-prodjobs (which call reusable workflows viauses: ./.github/workflows/...) will run with noGITHUB_TOKENscopes unless you add job-levelpermissions. Reusable workflows can’t increase permissions beyond the caller, so these caller jobs need to grant at leastcontents: readfor the called workflows’actions/checkoutsteps (and any other scopes they require).
deploys:
name: TEST Deployments
needs: [retag-images, semantic-version]
uses: ./.github/workflows/.deploy.yml
secrets: inherit
DerekRoberts
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates all GitHub Actions workflows to enforce least privilege permissions as required by copilot.md and BC Gov standards. Top-level permissions are now set to . No job-level permissions were changed unless already present.
Thanks for the PR!
Any successful deployments (not always required) will be available below.
API available
Frontend available
Once merged, code will be promoted and handed off to following workflow run.
Main Merge Workflow