security(workflows): add least-privilege permissions blocks to all 14 workflow files#5917
Merged
rtibbles merged 4 commits intoMay 16, 2026
Merged
Conversation
… shims All write operations in these workflows are performed by the LE bot app token (LE_BOT_APP_ID / LE_BOT_PRIVATE_KEY). The GITHUB_TOKEN itself requires only contents:read for the reusable-workflow call to be bounded. Addresses CodeQL actions/missing-workflow-permissions alerts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nd i18n workflows pre-commit.yml: fkirc/skip-duplicate-actions degrades gracefully to always-run when it cannot read workflow runs; the tighter scope is preferred per the audit. i18n-download.yml: PR creation uses the LE bot app token, not GITHUB_TOKEN, so no write scope is needed. Addresses CodeQL actions/missing-workflow-permissions alerts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…:read fkirc/skip-duplicate-actions requires actions:read to query prior workflow runs. contents:read is required for actions/checkout. No write operations are performed by GITHUB_TOKEN in these workflows. Addresses CodeQL actions/missing-workflow-permissions alerts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ges:write The postgres job logs in to ghcr.io with GITHUB_TOKEN and pushes the image on non-PR runs, requiring packages:write. The nginx job only test-builds and never pushes, but the scope is declared at workflow level. contents:read covers actions/checkout. Addresses CodeQL actions/missing-workflow-permissions alerts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rtibbles
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Plan: Add top-level
permissions:blocks to all 14 GitHub workflow files in.github/workflows/so that theGITHUB_TOKENis restricted to only the scopes each workflow actually uses.permissionsto the 7 delegated call-* shimspermissionstopre-commit.yml,i18n-download.yml,i18n-upload.ymlpermissionstodeploytest.yml,frontendtest.yml,pythontest.ymlpermissionstocontainerbuild.ymlSummary
Adds top-level
permissions:blocks to all 14 GitHub workflow files that previously had none. Without explicit permissions, workflows inherit the repository's defaultGITHUB_TOKENscope (typicallyread-all), giving test runners and thin shims far more access than they need. This restricts each token to the minimum the workflow actually uses and resolves 14 outstanding CodeQLactions/missing-workflow-permissionsalerts.Most workflows receive only
contents: read(required foractions/checkout). The three CI workflows that usefkirc/skip-duplicate-actionsalso getactions: read(that action reads prior run state). The container build workflow getspackages: writebecause it pushes images to ghcr.io usingGITHUB_TOKENdirectly. All other write operations (PRs, labels, Slack) go through the LE bot app token and need noGITHUB_TOKENwrite scope.References
Closes #5915.
Reviewer guidance
containerbuild.yml:packages: writeis declared at top level (not job level) — GitHub mints the token before any step'sif:guard evaluates. Verify the ghcr.io push succeeds on non-PR runs.deploytest.yml,frontendtest.yml,pythontest.yml:actions: readis included forfkirc/skip-duplicate-actions. Without it the action degrades gracefully (always runs). Watch for anyResource not accessible by integrationerrors in CI.permissions:blocks that could conflict with the new top-level declarations.AI usage
Claude Code implemented the changes following a pre-approved plan. The plan audited each workflow's operations against GitHub permission scope docs and specified the exact minimal scope for each file. YAML and permission values were validated programmatically before committing.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?