Skip to content

ci: add least-privilege workflow permissions (CodeQL)#224

Open
jhamon wants to merge 1 commit into
mainfrom
security/workflow-least-privilege-permissions
Open

ci: add least-privilege workflow permissions (CodeQL)#224
jhamon wants to merge 1 commit into
mainfrom
security/workflow-least-privilege-permissions

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves the three open CodeQL actions/missing-workflow-permissions alerts (#6, #12, #13). Neither workflow declared explicit permissions, so both used the repository-default GITHUB_TOKEN scope.

Changes

  • pr.ymlpermissions: contents: read — the build, integration-test, and cleanup jobs only build/test; they make no writes via GITHUB_TOKEN.
  • build-and-publish-docs.ymlpermissions: contents: read — it publishes Javadoc to the separate sdk-docs repo using SSH_DEPLOY_KEY, not GITHUB_TOKEN, so it only needs to read this repo.

Verification

  • YAML parses cleanly (ruby -ryaml).
  • Token scope now matches actual operations; no behavior change.

Part of PIN-16 (security tail), child of PIN-6.

🤖 Generated with Claude Code


Note

Low Risk
CI YAML-only permission tightening with no application or secret-handling logic changes; risk is mainly if a step later needed write scope via GITHUB_TOKEN (none do today).

Overview
Adds explicit permissions: contents: read to pr.yml and build-and-publish-docs.yml, replacing the implicit default GITHUB_TOKEN scope and clearing CodeQL actions/missing-workflow-permissions findings.

pr.yml — build, integration-test, and cleanup only checkout and run Gradle; they do not write to the repo via GITHUB_TOKEN, so read-only contents access is sufficient.

build-and-publish-docs.yml — Javadoc is pushed to sdk-docs with SSH_DEPLOY_KEY, not GITHUB_TOKEN; this workflow only needs to read the Java client repo. Short comments in each file document that rationale.

No job steps or secrets usage change; only the token permission boundary is tightened.

Reviewed by Cursor Bugbot for commit 0b1c51b. Bugbot is set up for automated code reviews on this repo. Configure here.

Resolves CodeQL actions/missing-workflow-permissions alerts (#6, #12, #13).
Both workflows are read-only w.r.t. this repo:
- pr.yml: build / integration-test / cleanup only read the repo.
- build-and-publish-docs.yml: pushes to the sdk-docs repo via SSH_DEPLOY_KEY.
Set contents: read on both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant