Skip to content

Replace implicit read-all with explicit minimal permissions in test-claude-oauth-workflow#3128

Merged
pelikhan merged 2 commits intomainfrom
copilot/reduce-excessive-permissions
Nov 4, 2025
Merged

Replace implicit read-all with explicit minimal permissions in test-claude-oauth-workflow#3128
pelikhan merged 2 commits intomainfrom
copilot/reduce-excessive-permissions

Conversation

Copy link
Contributor

Copilot AI commented Nov 4, 2025
edited
Loading

The test-claude-oauth-workflow had no explicit permissions, causing the compiler to default to permissions: read-all, violating least privilege (MEDIUM severity finding).

Changes

  • Added explicit minimal permissions to .github/workflows/test-claude-oauth-workflow.md:

    permissions:
  contents: read
  issues: read
  pull-requests: read

  • Recompiled workflow to propagate permissions to .lock.yml file

Impact

  • Removes permissions: read-all from both top-level workflow and agent job
  • Grants only read access required for file listing and GitHub toolsets
  • Addresses excessive-permissions finding from static analysis report (🔍 Static Analysis Report - November 4, 2025 #3120)
Original prompt

This section details on the original issue you should resolve

<issue_title>[task] Reduce excessive permissions in test-claude-oauth-workflow</issue_title>
<issue_description>## Objective
Replace overly broad permissions: read-all with explicit minimal permissions in test-claude-oauth-workflow.

Context

The test-claude-oauth-workflow currently uses permissions: read-all which violates the principle of least privilege and increases the attack surface (MEDIUM severity). This was identified in the static analysis report as an excessive-permissions issue.

Related to discussion #3120 - Static Analysis Report finding #2.

Approach

  1. Analyze what permissions the workflow actually needs based on its operations
  2. Replace permissions: read-all with explicit minimal permissions
  3. Test the workflow to ensure it still functions correctly with reduced permissions

Files to Modify

  • .github/workflows/test-claude-oauth-workflow.md - Update permissions from read-all to explicit minimal set
  • Recompile with gh aw compile test-claude-oauth-workflow

Suggested Permissions

Based on typical agentic workflow needs:

permissions:
  contents: read
  issues: write
  pull-requests: write

Adjust if the specific workflow requires different permissions.

Acceptance Criteria

  • permissions: read-all removed from workflow
  • Explicit minimal permissions defined
  • Workflow compiles successfully
  • Workflow functions correctly with new permissions
  • Zizmor scan shows no excessive-permissions findings for this workflow
    Related to 🔍 Static Analysis Report - November 4, 2025 #3120

AI generated by Plan Command for discussion #3120</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
Replace read-all with explicit minimal permissions in test-claude-oau…
3a0b3ab 
…th-workflow

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update permissions in test-claude-oauth-workflow Replace implicit read-all with explicit minimal permissions in test-claude-oauth-workflow Nov 4, 2025
Copilot AI requested a review from pelikhan November 4, 2025 11:36
@pelikhan pelikhan marked this pull request as ready for review November 4, 2025 11:39
Copilot AI review requested due to automatic review settings November 4, 2025 11:39
@pelikhan pelikhan enabled auto-merge (squash) November 4, 2025 11:39
Copilot AI reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the test workflow for Claude OAuth token support by replacing the broad read-all permission with explicit, minimal read permissions following the principle of least privilege. This change improves security by granting only the specific permissions needed for the workflow to function.

Key Changes

  • Added explicit permissions block to the workflow frontmatter
  • Replaced read-all with granular read permissions for contents, issues, and pull-requests
  • Updated both the workflow-level and job-level permissions in the compiled lock file

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/test-claude-oauth-workflow.md Added explicit permissions block with minimal read-only access
.github/workflows/test-claude-oauth-workflow.lock.yml Compiled output reflecting the permission changes at both workflow and job levels

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit b1a6e4a into main Nov 4, 2025
49 of 58 checks passed
@pelikhan pelikhan deleted the copilot/reduce-excessive-permissions branch November 4, 2025 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[task] Reduce excessive permissions in test-claude-oauth-workflow

2 participants

@pelikhan