Skip to content

[Code Quality] Fix default permissions on risky events (14 workflows) #14231

New issue
New issue
Closed as not planned
Closed as not planned
[Code Quality] Fix default permissions on risky events (14 workflows)#14231
Labels
automationcode-qualitycookieIssue Monster Loves Cookies!task-mining
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 6, 2026

Description

14 workflows are triggered by risky events (issue_comment, pull_request_target) but use default read-write permissions, violating the principle of least privilege. This is a supply chain security vulnerability identified by the poutine scanner.

Current State

  • Affected Workflows: 14 workflows
  • Severity: Warning (Poutine security scanner)
  • Impact: Workflows have more permissions than needed, increasing attack surface

Affected Workflows

Edit the markdown source files (.md files, NOT .lock.yml):

  • .github/workflows/ai-moderator.md
  • .github/workflows/archie.md
  • .github/workflows/brave.md
  • .github/workflows/cloclo.md
  • .github/workflows/grumpy-reviewer.md
  • .github/workflows/mergefest.md
  • .github/workflows/pdf-summary.md
  • .github/workflows/plan.md
  • .github/workflows/pr-nitpick-reviewer.md
  • .github/workflows/q.md
  • .github/workflows/scout.md
  • .github/workflows/security-review.md
  • .github/workflows/tidy.md
  • .github/workflows/unbloat-docs.md

Suggested Changes

Add explicit minimal permissions to frontmatter:

Before:

---
name: Example Workflow
on:
  issue_comment:
    types: [created]
---

After:

---
name: Example Workflow
on:
  issue_comment:
    types: [created]
permissions:
  contents: read
  issues: write
  pull-requests: write
---

Common Permission Patterns

  • Read data + create reports: contents: read, issues: write, pull-requests: read
  • Respond to comments: contents: read, issues: write, pull-requests: write
  • Modify code: contents: write, issues: write, pull-requests: write

Files Affected

  • 14 workflow markdown files in .github/workflows/ directory

Success Criteria

  • All 14 workflows have explicit permissions in frontmatter
  • Permissions follow least-privilege principle
  • Workflows recompiled with make recompile
  • Poutine scanner no longer reports default_permissions_on_risky_events warning
  • All workflows still function correctly

Priority

High - Security hardening, follows GitHub best practices

Estimated Effort

1-2 hours

Source

Extracted from:

Identified as high-priority security finding by Poutine supply chain scanner.

References

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 7, 2026, 9:07 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationcode-qualitycookieIssue Monster Loves Cookies!task-mining

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions