Conversation
…issionsID) Scorecard TokenPermissionsID alert (#26, high severity) flagged top-level 'contents: write' on budget-snapshot-cadence.yml. This is a Scorecard best-practice violation — top-level should be read-only, with write scoped narrowly to jobs that need it. Refactor: - Top-level permissions block: 'contents: read' only - Job-level (jobs.snapshot.permissions): contents:write + pull-requests:write + actions:read (the original set, just moved) Functional behavior: identical. The snapshot job still gets all 3 write/read scopes it needs. Security posture: tightened. If any step in this workflow runs untrusted input, the blast radius is bounded to the snapshot job rather than the whole workflow. EVIDENCE-BASED: - VERIFIED: Scorecard alert message specifies "topLevel 'contents' permission set to 'write'" — matches the diagnosis. - VERIFIED: GitHub Actions job-level permissions override top-level per docs (https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). Side-effect: should close TokenPermissionsID alert on next CodeQL/ Scorecard scan, which unblocks PR #661 (B-0073 CodeQL unblock — gated by 'code_quality:severity=all' ruleset that requires zero open alerts). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Tightens the GitHub Actions GITHUB_TOKEN permission scope in the budget snapshot cadence workflow to address Scorecard’s TokenPermissionsID finding, while preserving the snapshot job’s ability to push commits and open PRs.
Changes:
- Reduce workflow top-level
permissionstocontents: read. - Move the previously-required write scopes to
jobs.snapshot.permissions(contents/pull-requests write + actions read).
AceHack
deleted the
fix/budget-cadence-scorecard-tokenpermissions-2026-04-28
branch
AceHack
added a commit
that referenced
this pull request
Apr 28, 2026
Captures the 11-PR landing arc since PR #674's 17:47Z row: PRs MERGED this arc: - #675 pull-queue scope-broadening + recurrence - #676 Elisabeth→Elizabeth in-prose - #677 5 pre-flight disciplines for destructive git ops - #678 Elizabeth §33 carve-out + verbatim-quote meta-marker - #679 Scorecard TokenPermissions job-level scoping - #680 Atari B-0083 + CodeQL B-0084 + 3 trajectory memories - #681 version-currency-inherits-pins (clean-extracted from #656) Plus PR #656 closed-as-superseded by #681 with 5-disciplines audit. Aaron substrate-input arc captured verbatim: - Elizabeth canonical-spelling correction - Atari ROM canonical-naming ask - TOSEC/Good-Tools dependency-first framing - 'build-our-own as last resort' end-goal sharpening - 'did you fix what it was complaining about?' speculation-catch - 'do the right long term thing' corrective - self-healing metrics affirmation - elisabeth-causes-confusion §33 carve-out Multiple self-correction cascades caught + documented: - Python-heredoc replace failing on backtick-rich content - Block-quoted-verbatim guard missing multi-line quotes - Single-category SARIF snippet vs live per-language matrix - Self-referential rule containing the word it removes Composes with: 5-disciplines memory, self-healing-metrics memory, emit-empty-security-result memory, absorb-and-contribute end-goal sharpening, Elizabeth §33 carve-out, version-currency-inherits-pins. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Scorecard TokenPermissionsID alert (#26, high severity) flagged
top-level
contents: writeon.github/workflows/budget-snapshot-cadence.yml.This is a Scorecard best-practice violation — top-level should be
read-only, with write scoped narrowly to jobs that need it.
What changes
permissions:block becomescontents: readonlyjobs.snapshot.permissions:gets the original set(contents:write + pull-requests:write + actions:read)
Functional behavior: identical. Job-level permissions override
top-level (per GitHub Actions docs).
The snapshot job still gets all 3 scopes it needs.
Security posture: tightened. Blast-radius bounded to the snapshot
job rather than the whole workflow.
Why now
PR #661 (B-0073 CodeQL unblock) is gated by
code_quality:severity=allruleset which requires zero open code-scanning alerts. This alert is
one of two blocking. After this PR + CodeQL/Scorecard re-scan, the
TokenPermissionsID alert should close, unblocking #661.
🤖 Generated with Claude Code