Skip to content

Update workflow permissions #996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 15, 2025
Merged

Update workflow permissions #996

merged 1 commit into from
Aug 15, 2025

Conversation

@martincostello
Copy link
Owner

@martincostello martincostello commented Aug 15, 2025

Set workflow permissions to none and add job-level permissions instead.

@martincostello
Update workflow permissions
4eb5e0c 
Set workflow permissions to none and add job-level permissions instead.
Copilot AI review requested due to automatic review settings August 15, 2025 16:18
@martincostello martincostello added enhancement New feature or request github_actions Pull requests that update GitHub Actions code labels Aug 15, 2025
@martincostello martincostello enabled auto-merge (rebase) August 15, 2025 16:18
Copilot AI reviewed Aug 15, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates GitHub Actions workflow permissions by removing global workflow-level permissions and implementing job-level permissions instead. This follows security best practices by applying the principle of least privilege at a more granular level.

  • Removes global contents: read permissions from workflow level
  • Adds empty permissions object {} at workflow level to explicitly deny all default permissions
  • Moves contents: read permission to individual job level in dependency-review workflow

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/dependency-review.yml Moves contents permission from workflow to job level
.github/workflows/build.yml Removes global contents permission, sets empty permissions

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/build.yml

permissions:
contents: read
permissions: {}
Copy link

Copilot AI Aug 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build job may require permissions to function properly. Consider adding job-level permissions for the build job similar to how it was done in dependency-review.yml, or verify that the build job doesn't need any permissions.

Suggested change
permissions: {}

Copilot uses AI. Check for mistakes.
@codecov
Copy link

codecov bot commented Aug 15, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.59%. Comparing base (aa46700) to head (4eb5e0c).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #996   +/-   ##
=======================================
  Coverage   98.59%   98.59%           
=======================================
  Files          16       16           
  Lines         284      284           
  Branches       37       37           
=======================================
  Hits          280      280           
  Misses          2        2           
  Partials        2        2
Flag Coverage Δ
linux 98.59% <ø> (ø)
macos 98.59% <ø> (+0.70%) ⬆️
windows 98.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@martincostello martincostello merged commit 0c0361a into main Aug 15, 2025
16 checks passed
@martincostello martincostello deleted the update-permissions branch August 15, 2025 16:22
This was referenced Nov 11, 2025
Open
Merged
Open
Open
Open
Closed
Closed
Closed
Open
Closed
Open
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

enhancement New feature or request github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martincostello