Skip to content

Remove unnecessary discussions:read permission from speckit-dispatcher workflow#5879

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-excessive-permissions
Dec 8, 2025
Merged

Remove unnecessary discussions:read permission from speckit-dispatcher workflow#5879
pelikhan merged 2 commits intomainfrom
copilot/fix-excessive-permissions

Conversation

Copy link
Contributor

Copilot AI commented Dec 8, 2025

The speckit-dispatcher workflow granted discussions: read permission but doesn't use the discussions toolset. This violates least privilege and increases attack surface unnecessarily.

Changes

  • Removed discussions: read from workflow permissions
  • Retained minimal required permissions:
    • contents: read - repos toolset
    • issues: write - issues toolset + safe-outputs (create-issue, add-comment, link-sub-issue)
    • pull-requests: read - pull_requests toolset

Analysis

The workflow uses GitHub MCP toolsets: [default] which expands to context, repos, issues, pull_requests. None of these require discussions permissions. The discussions toolset is a separate opt-in and was never configured.

# Before
permissions:
  contents: read
  issues: write
  discussions: read    # ← Unnecessary
  pull-requests: read

# After
permissions:
  contents: read
  issues: write
  pull-requests: read

Resolves zizmor excessive-permissions warning at .github/workflows/speckit-dispatcher.lock.yml:502:3.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login it/ref/tags/v5 GO111MODULE ps GOINSECURE GOMOD GOMODCACHE ps .git�� .git GOPROXY e/git GOSUMDB GOWORK me: String!) { xterm-color e/git (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login ns/setup.git GOPROXY /home/REDACTED/go/bin/sh GOSUMDB GOWORK (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login ion-precompile.git ion-precompile.git 204575cd2cb8260dae593b7ff6926251360/log.json GOSUMDB GOWORK /usr/bin/git sh -c prettier --write '**/*.cjs' '**/*.ts' '**/*.json' git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Fix excessive permissions in speckit-dispatcher workflow</issue_title>
<issue_description>## Objective

Review and reduce permissions in the speckit-dispatcher workflow to follow the principle of least privilege.

Context

Severity: High
Tool: zizmor
Reference: excessive-permissions
Location: .github/workflows/speckit-dispatcher.lock.yml:502:3

The workflow has more permissions than necessary, increasing the attack surface and potential for privilege escalation if compromised.

Approach

  1. Examine the speckit-dispatcher workflow to understand what GitHub API operations it performs
  2. Review current permissions granted (likely in frontmatter or workflow configuration)
  3. Determine the minimal set of permissions actually needed
  4. Update the workflow markdown file with reduced permissions
  5. Recompile and test the workflow

Files to Modify

  • Edit: .github/workflows/speckit-dispatcher.md (or related source file)
  • Generated: .github/workflows/speckit-dispatcher.lock.yml (via recompile)

Analysis Steps

  1. Identify what GitHub API calls the workflow makes (issues, PRs, discussions, etc.)
  2. Map those operations to required permissions
  3. Compare against currently granted permissions
  4. Remove any unnecessary permissions

Common Permission Patterns

# Example: If workflow only reads issues and writes comments
permissions:
  issues: write        # Needed for commenting
  contents: read       # Standard read access
  # Remove: pull-requests, discussions, etc. if not used

Acceptance Criteria

  • Current permissions documented and analyzed
  • Minimal required permissions identified
  • Workflow source file updated with reduced permissions
  • Workflow recompiled with make recompile
  • Zizmor scan shows excessive-permissions warning resolved
  • Workflow tested to ensure it still functions correctly
  • Documentation updated if the workflow's capabilities changed

Why This Matters

AI generated by Plan Command for discussion #5845

Comments on the Issue (you are @copilot in this section)


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix excessive permissions in speckit-dispatcher workflow Remove unnecessary discussions:read permission from speckit-dispatcher workflow Dec 8, 2025
Copilot AI requested a review from pelikhan December 8, 2025 15:42
@pelikhan pelikhan marked this pull request as ready for review December 8, 2025 15:44
@pelikhan pelikhan merged commit 39f5586 into main Dec 8, 2025
110 of 111 checks passed
@pelikhan pelikhan deleted the copilot/fix-excessive-permissions branch December 8, 2025 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[plan] Fix excessive permissions in speckit-dispatcher workflow

2 participants