Conversation
…ege) Scorecard flagged 9 'no topLevel permission defined' alerts (Token- Permissions, security_severity: high). GITHUB_TOKEN's default scope includes write access to most things; opting into 'permissions: read-all' at the workflow level scopes that down to read, then jobs that genuinely need write scopes override locally. Existing job-level permissions blocks (build / sign-object / pr-merged / pr-created / incluster-* / docker-build) are unchanged. Added job-level permissions to bypass.yaml's pr-merged caller — needed because that job invokes incluster-comp-pr-merged.yaml as a reusable workflow. Reusable workflows can't request scopes the caller hasn't granted, so top-level read-all + the implicit no-perms on the caller would starve the called workflow's docker-build / create-release jobs. Mirrors pr-merged.yaml's perms exactly. Closes 9 of 16 open Token-Permissions alerts. The remaining 7 are 'jobLevel X permission set to write' findings that flag legitimate write uses (image push, sigstore signing, security-events upload) — Scorecard wants those audit-acknowledged but they're not removable without breaking the workflow's purpose.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a top-level ChangesGitHub Actions workflow permission hardening
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/benchmark.yaml:
- Around line 27-29: The workflow-level permissions were set to read-all which
removes write access for the benchmark job; in the `benchmark` job definition
add a job-level permissions override that grants `issues: write` and
`pull-requests: write` so the `Comment on PR` step has the required write scope
to post benchmark results back to the PR thread.
In @.github/workflows/go-basic-tests.yaml:
- Around line 39-41: The workflow-level permissions are too restrictive for
CodeQL upload; in the reusable workflow add a job-level permissions override for
the CodeQL job (Environment-Test) to restore upload rights by setting
permissions: contents: read and security-events: write for the job that runs
github/codeql-action/analyze, and update any callers of this workflow_call to
grant security-events: write when invoking the reusable workflow so uploads
succeed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 9ff4a244-c1cc-4a4e-a60f-58eb835e5a7e
📒 Files selected for processing (9)
.github/workflows/benchmark.yaml.github/workflows/build.yaml.github/workflows/bypass.yaml.github/workflows/component-tests.yaml.github/workflows/go-basic-tests.yaml.github/workflows/incluster-comp-pr-created.yaml.github/workflows/incluster-comp-pr-merged.yaml.github/workflows/pr-created.yaml.github/workflows/pr-merged.yaml
Addresses CodeRabbit's two findings on PR #39: 1. benchmark.yaml:29 (Minor) — peter-evans/create-or-update-comment needs issues:write + pull-requests:write to post benchmark results to the PR thread. Failure was masked by continue-on-error on the step. Add job-level permissions on 'benchmark'. 2. go-basic-tests.yaml:41 (Major) — github/codeql-action/analyze needs security-events:write to upload SARIF results. Failure was masked by continue-on-error on the CodeQL steps. Add job-level permissions on 'Environment-Test'. Note for #2: this file is invoked as a reusable workflow (workflow_call) from pr-created.yaml's pr-created job, which already grants security-events:write — so the caller envelope is already correct, only the inner job's override was missing. YAML validated.
entlein
pushed a commit
that referenced
this pull request
May 9, 2026
Chore PR #39 added 'permissions: read-all' to every workflow file including the workflow_call reusables. That broke the reusable-call contract: a called workflow's top-level permissions are the FLOOR the caller must grant. Callers of these reusables (pr-created.yaml's pr-created job, pr-merged.yaml's pr-merged job, etc.) only grant a narrow set of scopes (id-token:write, packages:write, security-events: write, pull-requests:write, contents). They do NOT grant the full read-all set (actions:read, artifact-metadata:read, attestations:read, checks:read, deployments:read, discussions:read, issues:read, models:read, vulnerability-alerts:read, packages:read, pages:read, repository-projects:read, statuses:read, id-token:read). Result: every PR opened on this fork since chore #39 merged (May 6) has had pr-created.yaml startup_failure with: Error calling workflow ... incluster-comp-pr-created.yaml@<sha>. The workflow is requesting 'actions: read, ...', but is only allowed [...] Fix: strip top-level 'permissions: read-all' from the four reusables: - benchmark.yaml (also direct-trigger; falls back to per-job perms) - go-basic-tests.yaml - incluster-comp-pr-created.yaml - incluster-comp-pr-merged.yaml Each reusable's per-job 'permissions:' blocks remain intact and correctly request only what the job needs. Callers' existing grants are sufficient. Top-level 'permissions: read-all' stays on the OUTERMOST workflows (pr-created.yaml, pr-merged.yaml, build.yaml, bypass.yaml, component-tests.yaml, sign-object.yaml, scorecard.yml) — they're event-triggered, not workflow_call'd, so the read-all default still hardens GITHUB_TOKEN there.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Scorecard / GitHub code-scanning has 16 open Token-Permissions alerts on this repo (security_severity: high). Most are "no topLevel permission defined" — every workflow file is implicitly using GITHUB_TOKEN's broad default scope.
What
permissions: read-allat the top of every workflow that was missing one (9 files).build+trigger-component-tests, component-tests.yaml'sbuild-and-push-image, sign-object.yaml top-level, pr-created.yaml, pr-merged.yaml, incluster-comp-*.yaml) are unchanged — they already grant exactly what those jobs need.bypass.yaml'spr-mergedcaller. That job invokesincluster-comp-pr-merged.yamlas a reusable workflow; reusable workflows can't request scopes the caller hasn't granted, so top-levelread-all+ no-perms on the caller would starve the innerdocker-build/create-release-and-retagjobs. The grants mirrorpr-merged.yaml'spr-mergedjob exactly:id-token: write,packages: write,contents: write.Coverage
Closes 9 of 16 open Token-Permissions alerts ("no topLevel permission defined" type).
The remaining 7 are "jobLevel '' permission set to write" findings that flag legitimate write uses:
build.yaml:87—actions: writefortrigger-component-tests(cross-workflow dispatch)pr-created.yaml:18+incluster-comp-pr-created.yaml:40—security-events: write(CodeQL upload)pr-merged.yaml:33,34+incluster-comp-pr-merged.yaml:355—packages: write/contents: write(image push, release retag)sign-object.yaml:26— top-levelpackages: write(image push)These are required for the workflow's actual job and aren't removable without breaking it.
Risk
Low. No-op for any job whose existing permissions are correct (which is most of them). The one substantive change is the
bypass.yamlpermission grant, which mirrors the correspondingpr-merged.yamlgrant verbatim — it's bringing bypass.yaml's reusable invocation in line with the explicit pattern already used elsewhere.YAML validated: all 10 workflow files parse cleanly with
yaml.safe_load.Test plan
bypass.yamlworkflow_dispatch run succeeds end-to-endgh api repos/k8sstormcenter/node-agent/code-scanning/alerts?state=opencount drops by 9 after merge