-
Notifications
You must be signed in to change notification settings - Fork 317
ci: add least-privilege permissions to GitHub Actions workflows #6545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -5,6 +5,10 @@ on: | |||||||||||||
| # Every midnight | ||||||||||||||
| - cron: "0 0 * * *" | ||||||||||||||
|
|
||||||||||||||
| permissions: | ||||||||||||||
| contents: read | ||||||||||||||
| pull-requests: read | ||||||||||||||
|
|
||||||||||||||
|
Comment on lines
+8
to
+11
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win Invalid YAML — workflow will fail to parse. Same indentation defect as in 🐛 Proposed fix permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
Suggested change
🧰 Tools🪛 actionlint (1.7.12)[error] 10-10: could not parse as YAML: mapping values are not allowed in this context (syntax-check) 🪛 YAMLlint (1.37.1)[error] 10-10: syntax error: mapping values are not allowed here (syntax) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||
| jobs: | ||||||||||||||
| clean_detekt_baseline_files: | ||||||||||||||
| name: Clean Detekt Baseline Files | ||||||||||||||
|
|
||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,9 @@ | |
| group: ${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| permissions: | ||
| contents: read | ||
Check noticeCode scanning / SonarCloud Read permissions should be defined at the job level Low
Move this read permission from workflow level to job level. See more on SonarQube Cloud
Check warning on line 21 in .github/workflows/e2e-test-cron.yml
|
||
|
|
||
|
|
||
| env: | ||
| BUILD_CACHE_AWS_REGION: ${{ secrets.BUILD_CACHE_AWS_REGION }} | ||
| BUILD_CACHE_AWS_BUCKET: ${{ secrets.BUILD_CACHE_AWS_BUCKET }} | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -7,6 +7,10 @@ on: | |||||||||||||
| # Every midnight | ||||||||||||||
| - cron: '0 0 * * *' | ||||||||||||||
|
|
||||||||||||||
| permissions: | ||||||||||||||
| issues: write | ||||||||||||||
| pull-requests: write | ||||||||||||||
|
|
||||||||||||||
|
Comment on lines
+10
to
+13
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win Invalid YAML indentation breaks the entire workflow.
🔧 Fix indentation permissions:
issues: write
- pull-requests: write
+ pull-requests: write📝 Committable suggestion
Suggested change
🧰 Tools🪛 actionlint (1.7.12)[error] 12-12: could not parse as YAML: mapping values are not allowed in this context (syntax-check) 🪛 YAMLlint (1.37.1)[error] 12-12: syntax error: mapping values are not allowed here (syntax) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||
| jobs: | ||||||||||||||
| noResponse: | ||||||||||||||
| runs-on: ubuntu-22.04 | ||||||||||||||
|
|
||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -6,6 +6,10 @@ concurrency: | |||||||||||||
| group: ${{ github.head_ref }} | ||||||||||||||
| cancel-in-progress: true | ||||||||||||||
|
|
||||||||||||||
| permissions: | ||||||||||||||
| contents: read | ||||||||||||||
| pull-requests: read | ||||||||||||||
|
|
||||||||||||||
|
Comment on lines
+9
to
+12
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win Invalid YAML indentation breaks the entire workflow.
🔧 Fix indentation permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
Suggested change
🧰 Tools🪛 actionlint (1.7.12)[error] 11-11: could not parse as YAML: mapping values are not allowed in this context (syntax-check) 🪛 YAMLlint (1.37.1)[error] 11-11: syntax error: mapping values are not allowed here (syntax) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||
| jobs: | ||||||||||||||
| base-android-ci: | ||||||||||||||
| uses: GetStream/stream-build-conventions-android/.github/workflows/android-ci.yml@v0.13.1 | ||||||||||||||
|
|
||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -15,6 +15,10 @@ env: | |||||||||||||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||
| GITHUB_PR_NUM: ${{ github.event.pull_request.number }} | ||||||||||||||
|
|
||||||||||||||
| permissions: | ||||||||||||||
| contents: read | ||||||||||||||
| pull-requests: read | ||||||||||||||
|
|
||||||||||||||
|
Comment on lines
+18
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win Invalid YAML indentation breaks the entire workflow.
🔧 Fix indentation permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
Suggested change
🧰 Tools🪛 actionlint (1.7.12)[error] 20-20: could not parse as YAML: mapping values are not allowed in this context (syntax-check) 🪛 YAMLlint (1.37.1)[error] 20-20: syntax error: mapping values are not allowed here (syntax) 🤖 Prompt for AI AgentsSource: Linters/SAST tools 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the workflow around the referenced lines.
if [ -f .github/workflows/snapshot-test.yaml ]; then
nl -ba .github/workflows/snapshot-test.yaml | sed -n '1,140p'
fi
# Look for the create-pull-request action usage in this workflow.
rg -n "create-pull-request|record ==|permissions:|pull-requests:|contents:" .github/workflows/snapshot-test.yaml || trueRepository: GetStream/stream-chat-android Length of output: 207 🏁 Script executed: #!/bin/bash
set -euo pipefail
if [ -f .github/workflows/snapshot-test.yaml ]; then
sed -n '1,140p' .github/workflows/snapshot-test.yaml
fi
printf '\n--- matches ---\n'
rg -n "create-pull-request|record ==|permissions:|pull-requests:|contents:" .github/workflows/snapshot-test.yaml || trueRepository: GetStream/stream-chat-android Length of output: 2277 🌐 Web query:
💡 Result: To use peter-evans/create-pull-request@v8 with the default GITHUB_TOKEN, you must explicitly elevate the token's permissions in your workflow file [1][2]. For repositories created after February 2, 2023, the default GITHUB_TOKEN permissions are read-only, which prevents the action from creating or updating pull requests [3][1]. To grant the necessary access, include the following permissions block in your workflow job [1][2]: permissions: contents: write pull-requests: write Additionally, you must ensure that GitHub Actions is permitted to create pull requests in your repository settings. Navigate to your repository's Settings > Actions > General > Workflow permissions and ensure that "Allow GitHub Actions to create and approve pull requests" is enabled [1][2][4]. Important considerations: - Forked repositories: If a workflow is triggered by a pull request from a fork, the GITHUB_TOKEN will have read-only access regardless of your permission settings [5][6][7]. In such cases, the action will fail to create pull requests [6][7]. - Triggering further workflows: Pull requests created by the default GITHUB_TOKEN will not trigger subsequent on: push or on: pull_request workflows [1][6]. If you require downstream workflows to run automatically, you must use a Personal Access Token (PAT) or a GitHub App token instead [1][8][2]. Citations:
Grant write access for
🔧 Suggested permissions permissions:
- contents: read
- pull-requests: read
+ contents: write
+ pull-requests: write🧰 Tools🪛 actionlint (1.7.12)[error] 20-20: could not parse as YAML: mapping values are not allowed in this context (syntax-check) 🪛 YAMLlint (1.37.1)[error] 20-20: syntax error: mapping values are not allowed here (syntax) 🤖 Prompt for AI Agents |
||||||||||||||
| jobs: | ||||||||||||||
| run_snapshot_tests: | ||||||||||||||
| name: Run | ||||||||||||||
|
|
||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win
Invalid YAML — workflow will fail to parse.
pull-requests: readis over-indented undercontents: read, which is not valid YAML (a scalar value cannot have a nested mapping). Confirmed by both actionlint and yamllint. This breaks the entire workflow file at parse time.🐛 Proposed fix
📝 Committable suggestion
🧰 Tools
🪛 actionlint (1.7.12)
[error] 15-15: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 15-15: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Source: Linters/SAST tools