ci: add least-privilege permissions to GitHub Actions workflows#6545
ci: add least-privilege permissions to GitHub Actions workflows#6545peter-matkovski wants to merge 18 commits into
Conversation
Restrict default GITHUB_TOKEN scope per workflow. Write scopes granted only where jobs dispatch/cancel workflows, publish packages, or label issues/PRs. Refs: APPSEC-164
PR checklist ❌The following issues were detected:
What we check
|
SDK Size Comparison 📏
|
WalkthroughThis PR adds explicit workflow-level ChangesGitHub Actions permissions hardening
Estimated code review effort: 1 (Trivial) | ~5 minutes Estimated code review effort: 1 (Trivial) | ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-and-test.yml:
- Around line 13-16: The workflow YAML has an invalid indentation in the
permissions block, causing the file to fail parsing. Fix the permissions section
in the build-and-test workflow so that pull-requests: read is aligned as a
sibling of contents: read, not nested under it. Use the permissions mapping near
the top of the workflow as the reference point and ensure the YAML structure is
valid for GitHub Actions and actionlint/yamllint.
In @.github/workflows/clean-detekt-baseline.yaml:
- Around line 8-11: The workflow YAML is invalid because `pull-requests: read`
is indented under `contents: read` instead of being a sibling permission entry.
Fix the permissions block in the workflow so the `permissions` mapping has
separate `contents` and `pull-requests` keys at the same indentation level,
matching the valid pattern used elsewhere in the repo.
In @.github/workflows/no-response.yml:
- Around line 10-13: The workflow YAML has invalid indentation in the
permissions block, causing the file to fail parsing. Fix the permissions mapping
so pull-requests is aligned as a sibling of issues in the no-response workflow,
and verify the workflow remains valid YAML after the indentation correction.
In @.github/workflows/pr-checks.yml:
- Around line 9-12: The workflow permissions block has invalid YAML because
pull-requests: read is indented as a child of contents: read instead of a
sibling entry. Fix the permissions mapping in pr-checks.yml so contents and
pull-requests are aligned under permissions, using the existing permissions
block near the workflow top-level.
In @.github/workflows/snapshot-test.yaml:
- Around line 18-21: The workflow YAML is invalid because the permissions block
in snapshot-test.yaml has incorrect indentation, causing parse failures. Update
the permissions mapping so pull-requests: read is aligned as a sibling of
contents: read under the permissions section, and verify the workflow remains
valid for actionlint and yamllint.
- Around line 18-21: The workflow permissions are too restrictive for the
snapshot creation step. Update the permissions block used by the
`peter-evans/create-pull-request@v8` step in the snapshot test workflow so
`GITHUB_TOKEN` has write access, specifically `contents: write` and
`pull-requests: write`, instead of read-only access. Keep the change scoped to
the workflow permissions section associated with the create-pull-request job.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 4603db61-7b03-4c74-905b-d396730793fd
📒 Files selected for processing (14)
.github/workflows/apk-s3-distribute.yml.github/workflows/app-distribute-v7.yml.github/workflows/app-distribute.yml.github/workflows/build-and-test.yml.github/workflows/clean-detekt-baseline.yaml.github/workflows/e2e-build.yml.github/workflows/e2e-test-backend.yml.github/workflows/e2e-test-cron.yml.github/workflows/e2e-test.yml.github/workflows/no-response.yml.github/workflows/pr-checks.yml.github/workflows/publish-new-version.yml.github/workflows/sdk-size-updates.yml.github/workflows/snapshot-test.yaml
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
There was a problem hiding this comment.
🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win
Invalid YAML — workflow will fail to parse.
pull-requests: read is over-indented under contents: read, which is not valid YAML (a scalar value cannot have a nested mapping). Confirmed by both actionlint and yamllint. This breaks the entire workflow file at parse time.
🐛 Proposed fix
permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| permissions: | |
| contents: read | |
| pull-requests: read |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 15-15: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 15-15: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-and-test.yml around lines 13 - 16, The workflow YAML
has an invalid indentation in the permissions block, causing the file to fail
parsing. Fix the permissions section in the build-and-test workflow so that
pull-requests: read is aligned as a sibling of contents: read, not nested under
it. Use the permissions mapping near the top of the workflow as the reference
point and ensure the YAML structure is valid for GitHub Actions and
actionlint/yamllint.
Source: Linters/SAST tools
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
There was a problem hiding this comment.
🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win
Invalid YAML — workflow will fail to parse.
Same indentation defect as in build-and-test.yml: pull-requests: read is nested under the scalar contents: read, which is invalid YAML. Confirmed by actionlint/yamllint.
🐛 Proposed fix
permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| permissions: | |
| contents: read | |
| pull-requests: read |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 10-10: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 10-10: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/clean-detekt-baseline.yaml around lines 8 - 11, The
workflow YAML is invalid because `pull-requests: read` is indented under
`contents: read` instead of being a sibling permission entry. Fix the
permissions block in the workflow so the `permissions` mapping has separate
`contents` and `pull-requests` keys at the same indentation level, matching the
valid pattern used elsewhere in the repo.
Source: Linters/SAST tools
| permissions: | ||
| issues: write | ||
| pull-requests: write | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win
Invalid YAML indentation breaks the entire workflow.
pull-requests: write is nested under issues: write instead of being a sibling mapping key. actionlint and yamllint both report could not parse as YAML: mapping values are not allowed in this context at this line, which will prevent the workflow from parsing/running at all.
🔧 Fix indentation
permissions:
issues: write
- pull-requests: write
+ pull-requests: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| issues: write | |
| pull-requests: write | |
| permissions: | |
| issues: write | |
| pull-requests: write |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 12-12: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 12-12: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/no-response.yml around lines 10 - 13, The workflow YAML
has invalid indentation in the permissions block, causing the file to fail
parsing. Fix the permissions mapping so pull-requests is aligned as a sibling of
issues in the no-response workflow, and verify the workflow remains valid YAML
after the indentation correction.
Source: Linters/SAST tools
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win
Invalid YAML indentation breaks the entire workflow.
pull-requests: read is nested under contents: read instead of being a sibling mapping key, which is invalid YAML. Static analysis confirms this: actionlint reports could not parse as YAML: mapping values are not allowed in this context and yamllint reports a matching syntax error. This will cause the whole workflow to fail to run.
🔧 Fix indentation
permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| permissions: | |
| contents: read | |
| pull-requests: read |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 11-11: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 11-11: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-checks.yml around lines 9 - 12, The workflow
permissions block has invalid YAML because pull-requests: read is indented as a
child of contents: read instead of a sibling entry. Fix the permissions mapping
in pr-checks.yml so contents and pull-requests are aligned under permissions,
using the existing permissions block near the workflow top-level.
Source: Linters/SAST tools
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win
Invalid YAML indentation breaks the entire workflow.
pull-requests: read is nested under contents: read rather than being a sibling key. actionlint and yamllint both flag could not parse as YAML: mapping values are not allowed in this context at this line.
🔧 Fix indentation
permissions:
contents: read
- pull-requests: read
+ pull-requests: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| permissions: | |
| contents: read | |
| pull-requests: read |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 20-20: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 20-20: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/snapshot-test.yaml around lines 18 - 21, The workflow YAML
is invalid because the permissions block in snapshot-test.yaml has incorrect
indentation, causing parse failures. Update the permissions mapping so
pull-requests: read is aligned as a sibling of contents: read under the
permissions section, and verify the workflow remains valid for actionlint and
yamllint.
Source: Linters/SAST tools
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around the referenced lines.
if [ -f .github/workflows/snapshot-test.yaml ]; then
nl -ba .github/workflows/snapshot-test.yaml | sed -n '1,140p'
fi
# Look for the create-pull-request action usage in this workflow.
rg -n "create-pull-request|record ==|permissions:|pull-requests:|contents:" .github/workflows/snapshot-test.yaml || trueRepository: GetStream/stream-chat-android
Length of output: 207
🏁 Script executed:
#!/bin/bash
set -euo pipefail
if [ -f .github/workflows/snapshot-test.yaml ]; then
sed -n '1,140p' .github/workflows/snapshot-test.yaml
fi
printf '\n--- matches ---\n'
rg -n "create-pull-request|record ==|permissions:|pull-requests:|contents:" .github/workflows/snapshot-test.yaml || trueRepository: GetStream/stream-chat-android
Length of output: 2277
🌐 Web query:
peter-evans/create-pull-request@v8 permissions contents write pull-requests write default GITHUB_TOKEN documentation
💡 Result:
To use peter-evans/create-pull-request@v8 with the default GITHUB_TOKEN, you must explicitly elevate the token's permissions in your workflow file [1][2]. For repositories created after February 2, 2023, the default GITHUB_TOKEN permissions are read-only, which prevents the action from creating or updating pull requests [3][1]. To grant the necessary access, include the following permissions block in your workflow job [1][2]: permissions: contents: write pull-requests: write Additionally, you must ensure that GitHub Actions is permitted to create pull requests in your repository settings. Navigate to your repository's Settings > Actions > General > Workflow permissions and ensure that "Allow GitHub Actions to create and approve pull requests" is enabled [1][2][4]. Important considerations: - Forked repositories: If a workflow is triggered by a pull request from a fork, the GITHUB_TOKEN will have read-only access regardless of your permission settings [5][6][7]. In such cases, the action will fail to create pull requests [6][7]. - Triggering further workflows: Pull requests created by the default GITHUB_TOKEN will not trigger subsequent on: push or on: pull_request workflows [1][6]. If you require downstream workflows to run automatically, you must use a Personal Access Token (PAT) or a GitHub App token instead [1][8][2].
Citations:
- 1: https://github.com/peter-evans/create-pull-request/blob/main/README.md
- 2: https://github.com/peter-evans/create-pull-request?tab=readme-ov-file
- 3: https://github.com/peter-evans/create-pull-request
- 4: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository
- 5: https://github.com/peter-evans/create-pull-request/blob/HEAD/docs/concepts-guidelines.md
- 6: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md
- 7: Resource not accessible by integration peter-evans/create-pull-request#3236
- 8: https://github.com/peter-evans/create-pull-request/blob/main/docs/examples.md
Grant write access for create-pull-request
peter-evans/create-pull-request@v8 runs with the default GITHUB_TOKEN here, so record: true needs contents: write and pull-requests: write; read will cause that step to fail.
🔧 Suggested permissions
permissions:
- contents: read
- pull-requests: read
+ contents: write
+ pull-requests: write🧰 Tools
🪛 actionlint (1.7.12)
[error] 20-20: could not parse as YAML: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
[error] 20-20: syntax error: mapping values are not allowed here
(syntax)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/snapshot-test.yaml around lines 18 - 21, The workflow
permissions are too restrictive for the snapshot creation step. Update the
permissions block used by the `peter-evans/create-pull-request@v8` step in the
snapshot test workflow so `GITHUB_TOKEN` has write access, specifically
`contents: write` and `pull-requests: write`, instead of read-only access. Keep
the change scoped to the workflow permissions section associated with the
create-pull-request job.
|



Goal
Add least-privilege
permissionsblocks to GitHub Actions workflows to resolve CodeQLactions/missing-workflow-permissionsalerts (APPSEC-164).Implementation
permissionsblocks across GitHub Actions workflows.contents: read,pull-requests: read).Testing