Skip to content

[security-fix] Security: Add explicit permissions to CI workflow jobs #1493

New issue
New issue
Closed
#1495
Closed
[security-fix] Security: Add explicit permissions to CI workflow jobs#1493
#1495
Assignees
copilot-swe-agent
Labels
automated-fixsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Oct 10, 2025

Security Fix: Missing Workflow Permissions

Alert Numbers: #13, #14
Severity: Medium
Rule: actions/missing-workflow-permissions

Vulnerability Description

Two jobs in the CI workflow (js and lint) were missing explicit permissions blocks. Without explicit permissions, workflows inherit repository-level permissions, which may be overly permissive and violate the principle of least privilege. This can potentially allow workflows to perform unintended actions if compromised.

CodeQL identified these issues with the following message:

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Fix Applied

Added explicit permissions blocks to both affected jobs:

permissions:
  contents: read

Changes:

  • js job (lines 76-95): Added permissions: contents: read
  • lint job (lines 95-125): Added permissions: contents: read

Both jobs only require read access to:

  • Check out repository code
  • Set up build environments
  • Run tests and linters

No write permissions are needed for these operations.

Security Best Practices

Principle of Least Privilege: Jobs now have only the minimum permissions required
Explicit Permission Control: GITHUB_TOKEN scope is explicitly restricted
Defense in Depth: Reduces potential impact if workflow is compromised
GitHub Compliance: Follows GitHub's workflow security recommendations

Testing Considerations

  • ✅ Changes only add restrictive permissions
  • ✅ No functional changes to job behavior
  • ✅ Both jobs should continue to run successfully with read-only access
  • ⚠️ Verify that CI jobs complete without permission errors

References

🤖 Generated with Claude Code

AI generated by Security Fix PR

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available as an artifact (aw.patch) in the workflow run linked above.
To apply the patch locally:

# Download the artifact from the workflow run https://github.com/githubnext/gh-aw/actions/runs/18418667448
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 18418667448 -n aw.patch
# Apply the patch
git am aw.patch

Metadata

Metadata

Assignees

Labels

automated-fixsecurity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions