Skip to content

chore: restrict GitHub workflow permissions - future-proof #3165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

chore: restrict GitHub workflow permissions - future-proof #3165

merged 1 commit into from
Oct 14, 2025
+8 −0

Conversation

incertum
Copy link
Contributor

@incertum
chore: restrict GitHub workflow permissions - future-proof
2f6835f 
Signed-off-by: Melissa Kilby <mkilby@apple.com>
ahoppen
ahoppen reviewed Oct 11, 2025
View reviewed changes
Copy link
Member

@ahoppen ahoppen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the PR, @incertum 🙏🏽 Two quick questions:

  • Out of curiosity, do you know what the default permissions are if they are not specified? Does this PR just
  • The automerge workflow requires contents: write permission in the create_merge_pr job. Do you know / did you check if it’s possible that a job has more permissions than the surrounding workflow?

@incertum
Copy link
Contributor Author

Thanks a lot for the PR, @incertum 🙏🏽 Two quick questions:

  • Out of curiosity, do you know what the default permissions are if they are not specified?

The default GITHUB_TOKEN permissions are defined at the repository level. This PR modifies the workflow-level overrides to conform to OpenSSF best practices -> defense in depth.

  • The automerge workflow requires contents: write permission in the create_merge_pr job. Do you know / did you check if it’s possible that a job has more permissions than the surrounding workflow?

I replied to a similar question here: swiftlang/swift-build#858 (comment) Hope it answers the question?

ahoppen
ahoppen approved these changes Oct 14, 2025
View reviewed changes
Copy link
Member

@ahoppen ahoppen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification, @incertum 🙏🏽

@ahoppen
Copy link
Member

ahoppen commented Oct 14, 2025

@swift-ci Please test

@ahoppen ahoppen merged commit cc7888f into swiftlang:main Oct 14, 2025
34 checks passed
@incertum incertum mentioned this pull request Oct 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahoppen ahoppen ahoppen approved these changes

@bnbarham bnbarham Awaiting requested review from bnbarham bnbarham is a code owner

@hamishknight hamishknight Awaiting requested review from hamishknight hamishknight is a code owner

@rintaro rintaro Awaiting requested review from rintaro rintaro is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@incertum @ahoppen