[plan] Fix excessive permissions in speckit-dispatcher workflow #5868
Description
Objective
Review and reduce permissions in the speckit-dispatcher workflow to follow the principle of least privilege.
Context
Severity: High
Tool: zizmor
Reference: excessive-permissions
Location: .github/workflows/speckit-dispatcher.lock.yml:502:3
The workflow has more permissions than necessary, increasing the attack surface and potential for privilege escalation if compromised.
Approach
- Examine the speckit-dispatcher workflow to understand what GitHub API operations it performs
- Review current permissions granted (likely in frontmatter or workflow configuration)
- Determine the minimal set of permissions actually needed
- Update the workflow markdown file with reduced permissions
- Recompile and test the workflow
Files to Modify
- Edit:
.github/workflows/speckit-dispatcher.md(or related source file) - Generated:
.github/workflows/speckit-dispatcher.lock.yml(via recompile)
Analysis Steps
- Identify what GitHub API calls the workflow makes (issues, PRs, discussions, etc.)
- Map those operations to required permissions
- Compare against currently granted permissions
- Remove any unnecessary permissions
Common Permission Patterns
# Example: If workflow only reads issues and writes comments
permissions:
issues: write # Needed for commenting
contents: read # Standard read access
# Remove: pull-requests, discussions, etc. if not usedAcceptance Criteria
- Current permissions documented and analyzed
- Minimal required permissions identified
- Workflow source file updated with reduced permissions
- Workflow recompiled with
make recompile - Zizmor scan shows excessive-permissions warning resolved
- Workflow tested to ensure it still functions correctly
- Documentation updated if the workflow's capabilities changed
Why This Matters
- Follows security principle of least privilege
- Reduces impact if workflow is compromised
- Limits potential for accidental destructive operations
- Industry best practice for GitHub Actions security
Related to [plan] Address security findings from static analysis scan #5866
AI generated by Plan Command for discussion #5845