Skip to content

ci: set least-privilege GITHUB_TOKEN permissions in workflow#28

Merged
jhamon merged 1 commit into
mainfrom
fix/ci-workflow-permissions
Jul 10, 2026
Merged

ci: set least-privilege GITHUB_TOKEN permissions in workflow#28
jhamon merged 1 commit into
mainfrom
fix/ci-workflow-permissions

Conversation

@jhamon

@jhamon jhamon commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Problem

.github/workflows/ci.yml declared no permissions: block, so GITHUB_TOKEN ran with the repository/organization default scopes on every job. GitHub code scanning flagged this as two open actions/missing-workflow-permissions alerts (one per job, at ci.yml:16 and ci.yml:50). An over-privileged token is a needless supply-chain risk: a compromised or malicious action step could use it to write to the repo.

Solution

Set a single top-level least-privilege block:

permissions:
  contents: read

Declaring it once at the workflow level (rather than per-job) is the smallest change that satisfies the scanner and covers both jobs, since neither needs more: build-and-test and audit only checkout, install, lint, typecheck, test, and run npm audit — all read-only operations. Any future job that genuinely needs to write (e.g. publishing, commenting) can opt into a wider scope with its own job-level permissions: without loosening the default for everything else. A code comment records that reasoning inline.

No behavior change to the build/test pipeline — CI runs identically, just with a tighter token.

Fixes #24
Refs #27

🤖 Generated with Claude Code

Add a top-level `permissions: contents: read` block so GITHUB_TOKEN is
scoped to read-only instead of the repo/org default. Both jobs only read
the repo (checkout, install, lint, typecheck, test, audit), so no job
needs write access. Resolves the two open code-scanning alerts
(actions/missing-workflow-permissions).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jhamon jhamon added the maintenance Repo maintenance sweep label Jul 10, 2026
@jhamon jhamon merged commit a3229e7 into main Jul 10, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

maintenance Repo maintenance sweep

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: set least-privilege GITHUB_TOKEN permissions in workflow

1 participant