Skip to content

ci: add least-privilege read-only token permissions (22 workflows)#455

Open
Alb3e3 wants to merge 1 commit into
google:mainfrom
Alb3e3:harden-ci-permissions-sha-pins
Open

ci: add least-privilege read-only token permissions (22 workflows)#455
Alb3e3 wants to merge 1 commit into
google:mainfrom
Alb3e3:harden-ci-permissions-sha-pins

Conversation

@Alb3e3

@Alb3e3 Alb3e3 commented Jun 11, 2026

Copy link
Copy Markdown

Summary

CI workflows are missing top-level `permissions` declarations and reference actions by mutable tags/branch names — both are supply-chain risk vectors.

Changes:

  • Add `permissions: read-all` at the workflow level (least-privilege default for all jobs)
  • Pin all third-party action references to full commit SHAs

Mutable action references (`@v4`, `@master`, etc.) allow a compromised upstream to inject arbitrary code into your CI. Pinning to a commit SHA ensures only the audited revision runs regardless of upstream changes.

Add a top-level `permissions: { contents: read }` block to the 22
GitHub Actions workflows that lacked one, so the automatic GITHUB_TOKEN
is granted only read access to repository contents by default.

Scoped to permissions only: the action-SHA pins from the earlier
revision are dropped to respect this repo's Dependabot-managed version
tags (e.g. the recent actions/checkout v6->v7 bump) and avoid churn.
No workflow behaviour changes.
@Alb3e3 Alb3e3 force-pushed the harden-ci-permissions-sha-pins branch from 1c79c9e to 4adaa72 Compare July 9, 2026 11:15
@Alb3e3

Alb3e3 commented Jul 9, 2026

Copy link
Copy Markdown
Author

I've rebased this onto main and narrowed the change to permissions-only.

The previous revision also pinned action versions to commit SHAs, which conflicted with this repo's Dependabot-managed version tags (the recent actions/checkout v6→v7 bump was the direct cause of the merge conflict). Since re-pinning would just re-introduce that churn on every Dependabot update, I dropped the SHA pins and kept only the security improvement that doesn't fight your existing workflow: a top-level permissions: { contents: read } block on the 22 workflows that lacked one, so the default GITHUB_TOKEN is read-only.

No behaviour changes; the conflict is resolved and zizmor still passes.

@Alb3e3 Alb3e3 changed the title ci: add permissions and pin action SHAs (22 workflows) ci: add least-privilege read-only token permissions (22 workflows) Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant