Skip to content

ci: add least-privilege GITHUB_TOKEN permissions to CI workflow#121

Closed
seonghobae wants to merge 1 commit into
mainfrom
fix/ci-workflow-permissions
Closed

ci: add least-privilege GITHUB_TOKEN permissions to CI workflow#121
seonghobae wants to merge 1 commit into
mainfrom
fix/ci-workflow-permissions

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

Resolves CodeQL actions/missing-workflow-permissions alerts #16, #17, #18 (CWE-275) on .github/workflows/ci.yml.

Root cause

The CI workflow defined no permissions block, so all three jobs (python, rust, package) inherited the repository/org default GITHUB_TOKEN scopes. For repos/orgs created before Feb 2023 the default is read-write, violating least privilege.

Fix

Added a top-level permissions: contents: read block. All three jobs only actions/checkout the repo and run build/test steps (pytest, cargo test, python -m build, twine check, smoke scripts) — none push commits, comments, packages, or releases, so read-only contents is sufficient for every job.

No workflow thresholds or steps were weakened.

Set top-level 'permissions: contents: read' in .github/workflows/ci.yml.
All three jobs (python, rust, package) only checkout the repo and run
build/test steps; none require write scopes. This resolves CodeQL
actions/missing-workflow-permissions alerts (CWE-275) #16, #17, #18.
@seonghobae

Copy link
Copy Markdown
Contributor Author

Closing as superseded by lower-numbered PR #118. #121 contains the same CI workflow permissions: contents: read declaration, while #118 carries that identical least-privilege CI change plus the .codegraph/ ignore guard for review-generated artifacts.

@seonghobae seonghobae closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant