Skip to content

ci: grant release.yml write scopes at the job level, not top level#98

Merged
Reefact merged 1 commit into
mainfrom
claude/scorecard-token-permissions
Jul 11, 2026
Merged

ci: grant release.yml write scopes at the job level, not top level#98
Reefact merged 1 commit into
mainfrom
claude/scorecard-token-permissions

Conversation

@Reefact

@Reefact Reefact commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes OpenSSF Scorecard's Token-Permissions check, which scored 0 ("detected GitHub workflow tokens with excessive permissions"). The only offender was release.yml, which declared contents/id-token/attestations: write at the top level — a top-level write applies to every job, which the check flags as excessive.

release.yml has a single job (pack-push), so the three write scopes are moved onto that job and the top-level token is left read-only (contents: read). Behaviour is identical; the workflow now follows the least-privilege shape (top-level read, writes granted per job) the check rewards. dependabot-automerge.yml already follows this pattern (top-level read, job-level write genuinely needed for gh pr merge --auto) and is left untouched.

Note: confirmation comes from the next scorecard run on main. The top-level write was the 0-driver, so this should lift the check substantially (job-level writes are the documented remediation).

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Analyzer / diagnostic change
  • Tests
  • Documentation
  • Build / CI / tooling

Changes

  • release.yml: top-level permissions set to contents: read; contents: write, id-token: write, attestations: write moved onto the pack-push job (comments preserved).
  • maintainers/workflows/release.{en,fr}.md: "Permissions & security" section updated to note the top-level-read / per-job-write structure.

Testing

  • dotnet build FirstClassErrors.sln — not relevant (workflow-config change only; no solution code touched).
  • dotnet test FirstClassErrors.sln — not relevant.
  • Validated release.yml parses as YAML and that the effective permissions are unchanged for the pack-push job. The release workflow itself runs only on version tags, so it is not exercised by this PR (its logic is rehearsed separately by release-dryrun).

Documentation

  • Public API / error documentation updated
  • README / doc/ updated
  • French translation (doc/README.fr.md) updated if user-facing behavior changed
  • No user-facing documentation change required. The maintainer workflow notes (release.en.md / release.fr.md) were kept in sync with the permission restructure.

Related issues

None.

🤖 Generated with Claude Code

https://claude.ai/code/session_014W1zrcBNy3jEs8ngAQKwZg


Generated by Claude Code

release.yml declared contents/id-token/attestations write at the top level, so
OpenSSF Scorecard's Token-Permissions check scored 0 ("detected GitHub workflow
tokens with excessive permissions") — a top-level write applies to every job.

Move the three write scopes onto the single pack-push job that uses them and keep
the top-level token read-only (contents: read). Behaviour is unchanged (the one
job gets exactly the same permissions), but the workflow now follows the
least-privilege shape the check rewards. English and French maintainer notes kept
in sync.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014W1zrcBNy3jEs8ngAQKwZg
@Reefact Reefact merged commit 072ac7e into main Jul 11, 2026
11 checks passed
@Reefact Reefact deleted the claude/scorecard-token-permissions branch July 11, 2026 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants