[Code Quality] Add explicit minimal permissions to 5 workflows using risky event triggers #13165
Description
Description
Static analysis (#13119) identified 5 workflows using default permissions on risky event triggers (pull_request_target, issue_comment), which could allow excessive permissions for untrusted code execution. This is a security hardening opportunity.
Affected Workflows
- q.lock.yml - Uses risky triggers with default permissions
- scout.lock.yml - Uses risky triggers with default permissions
- grumpy-reviewer.lock.yml - PR reviewer with broad permissions
- pr-nitpick-reviewer.lock.yml - PR reviewer with broad permissions
- plan.lock.yml - Planning workflow with default permissions
Security Risk
Default Permissions on Risky Events (poutine security scanner):
- Severity: Warning
- Description: Workflows using
pull_request_targetorissue_commenttriggers without explicit minimal permissions - Impact: Untrusted code (from PRs/comments) could have excessive permissions to repository resources
- Best Practice: Explicitly define minimal required permissions
Risky Event Triggers
- pull_request_target: Runs in context of base branch with write access
- issue_comment: Can be triggered by any user commenting on issues/PRs
- Both require careful permission scoping to prevent security issues
Recommended Fix
Add explicit minimal permissions to workflow frontmatter:
---
# Before (implicit default permissions)
on:
pull_request_target:
issue_comment:
# After (explicit minimal permissions)
on:
pull_request_target:
issue_comment:
permissions:
contents: read # Read-only access to repository contents
issues: write # Only if workflow creates/updates issues
pull-requests: write # Only if workflow comments on PRs
# Omit any permissions not needed
---Implementation Approach
-
Review each workflow to determine actual permissions needed:
# Find source markdown files find .github/workflows -name "q.md" find .github/workflows -name "scout.md" find .github/workflows -name "grumpy-reviewer.md" find .github/workflows -name "pr-nitpick-reviewer.md" find .github/workflows -name "plan.md"
-
Identify required permissions:
- What GitHub API operations does the workflow perform?
- Does it read code? (contents: read)
- Does it comment on PRs? (pull-requests: write)
- Does it create issues? (issues: write)
-
Add minimal permissions to frontmatter:
permissions: contents: read issues: write # Only if needed pull-requests: write # Only if needed
-
Test workflows:
- Trigger workflows with new permissions
- Verify they still function correctly
- Confirm no permission errors
-
Recompile:
make recompileto regenerate.lock.ymlfiles
Success Criteria
- All 5 workflows have explicit minimal permissions defined
- Permissions follow principle of least privilege
- Workflows function correctly with new permissions
- Static analysis re-run shows 0 permission warnings
- Document permission requirements for risky event triggers
Impact
- Severity: Medium (security hardening, not active vulnerability)
- Scope: 5 workflows using risky event triggers
- Benefit: Reduced attack surface, better security posture, follows GitHub best practices
Source
Extracted from Discussion #13119 - Static Analysis Report (Feb 1, 2026)
"Priority 3 - Permission Hardening: Add explicit minimal permissions to workflows using risky event triggers."
Priority
Medium - Security hardening that should be addressed but not urgent
Estimated Effort: 2-3 hours (review 5 workflows + test + document)
References
AI generated by Discussion Task Miner - Code Quality Improvement Agent
- expires on Feb 15, 2026, 9:07 PM UTC