Define explicit top-level permissions for GitHub Actions workflows

[SuyashJain17]

Proposed change

Resolves #3199

This PR adds explicit top-level permissions blocks to GitHub Actions workflows that previously relied on implicit default GITHUB_TOKEN permissions.

The intent is to make CI permission usage explicit and easier to audit, while keeping existing job-level permissions unchanged. This is a non-functional change focused on CI hygiene and security clarity, with no impact on workflow behavior.

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran the relevant local checks and verified no functional behavior was changed
• I used AI for guidance and review during this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Added top-level workflow permission declarations across CI, labeling, and automation workflows.
  • Preserved existing per-job permissions; several jobs retain read scopes while specific jobs now include elevated write scopes where needed (issue, pull-request, and actions write).
  • No changes to triggers, steps, scripts, or runtime logic—only permission declarations and formatting adjustments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Added explicit top-level permissions: {} to six GitHub Actions workflows; preserved existing per-job permissions. Only update-nest-test-images.yaml expanded a job permission to add actions: write. No workflow steps or control flow were changed.

Changes

Cohort / File(s)	Change Summary
Workflows — top-level permissions added ​.github/workflows/check-pr-issue.yaml, ​.github/workflows/label-issues.yaml, ​.github/workflows/label-pull-requests.yaml, ​.github/workflows/run-ci-cd.yaml, ​.github/workflows/run-code-ql.yaml	Inserted a top-level permissions: {} block into each workflow. Job-level permissions and step logic unchanged. label-issues.yaml also had YAML reflow/indentation adjustments.
Workflow with job-level permission change ​.github/workflows/update-nest-test-images.yaml	Added top-level permissions: {} and updated the update-nest-test-images job permissions to include actions: write alongside existing contents: read.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• CI hardening: pin GitHub Actions to SHAs and define explicit job permissions #3174 — Modifies GitHub Actions permission declarations in workflows including run-ci-cd.yaml.
• ci: move permissions to job level #3118 — Adjusts top-level and job-level permissions in the same workflow files.
• ci: add ZAP Baseline Scan to CI/CD pipeline #3172 — Makes permission-related changes to run-ci-cd.yaml (job-level permissions added).

Suggested reviewers

• kasya

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: adding explicit top-level permissions blocks to GitHub Actions workflows.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of adding top-level permissions blocks, linking to issue #3199, and confirming no functional changes.
Linked Issues check	✅ Passed	All code changes fulfill the objectives from issue #3199: explicit top-level permissions blocks added to all six affected workflows with job-level permissions preserved.
Out of Scope Changes check	✅ Passed	All changes are directly in scope: only adding top-level permissions blocks to the six workflows specified in issue #3199, with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b12585b and 45df6dc.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/run-ci-cd.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Run backend tests
• GitHub Check: Run frontend e2e tests
• GitHub Check: Run frontend unit tests
• GitHub Check: CodeQL (javascript-typescript)
• GitHub Check: CodeQL (python)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arkid15r]

This is the opposite of what was done in #3118

The workflow level permissions should be empty: permissions: {} -- this is how I read your issue idea.

[SuyashJain17]

Thanks for the clarification.

I’ve updated all affected workflows to use permissions: {} at the workflow level and kept all required scopes strictly at the job level, consistent with #3118.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @.github/workflows/update-nest-test-images.yaml:
- Around line 8-9: The job-level permissions only specify an empty permissions
object; update the workflow's job permissions to explicitly allow cache writes
by adding actions: write and keep contents: read so GitHub Actions cache-to
operations succeed; locate the permissions block in the workflow (the top-level
permissions: {} entry in .github/workflows/update-nest-test-images.yaml) and
replace it with a permissions mapping that includes actions: write and contents:
read.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b360f21 and a666403.

📒 Files selected for processing (6)

• .github/workflows/check-pr-issue.yaml
• .github/workflows/label-issues.yaml
• .github/workflows/label-pull-requests.yaml
• .github/workflows/run-ci-cd.yaml
• .github/workflows/run-code-ql.yaml
• .github/workflows/update-nest-test-images.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/label-issues.yaml
• .github/workflows/run-ci-cd.yaml
• .github/workflows/run-code-ql.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/label-pull-requests.yaml
• .github/workflows/update-nest-test-images.yaml
• .github/workflows/check-pr-issue.yaml

🔇 Additional comments (2)

.github/workflows/check-pr-issue.yaml (1)

8-9: LGTM! Security best practice implemented correctly.

The addition of explicit top-level permissions: {} paired with job-level permission declarations follows GitHub Actions security best practices. This enforces the principle of least privilege by requiring each job to explicitly declare its needed permissions rather than relying on implicit defaults.

.github/workflows/label-pull-requests.yaml (1)

6-7: LGTM! Consistent security improvement.

The explicit top-level permissions block correctly implements the same security pattern as other workflows in this PR. The job-level permissions (contents: read and pull-requests: write) are appropriately scoped for the labeler action's operations.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud