Skip to content

Comments

ci: set workflow permissions to read-only by default#294

Merged
Eomm merged 2 commits intomainfrom
ci/perms
Apr 3, 2025
Merged

ci: set workflow permissions to read-only by default#294
Eomm merged 2 commits intomainfrom
ci/perms

Conversation

@Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Mar 31, 2025

This PR is created by a script. Please check the changes prior to merging.

This PR adds permissions to the workflow and job level, making the workflows read-only by default, and allowing write access only at the job level via granular permissions. This is regularly flagged by CodeQL, Step Security, OSSF, and other security tools.
This change also allows the org to go read-only everywhere, see fastify/avvio#308 (comment)

Eomm
Eomm reviewed Apr 2, 2025
View reviewed changes
.github/workflows/ci-cd.yml
setup:
runs-on: ubuntu-latest
permissions:
contents: read
Copy link
Member

@Eomm Eomm Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to repeat the same code on the job and on the file too?

permissions:
  contents: read

Copy link
Member Author

@Fdawgs Fdawgs Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nah, it was just for posterity's sake, if we ever need to set to differently from the default then the permissions are already there.

@Eomm Eomm merged commit 828eddc into main Apr 3, 2025
5 of 6 checks passed
@Eomm Eomm deleted the ci/perms branch April 3, 2025 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Eomm Eomm Eomm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fdawgs @Eomm