Skip to content

ci: add explicit top-level permissions to all workflows (least privilege) #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
entlein merged 2 commits into from
May 6, 2026
Merged

ci: add explicit top-level permissions to all workflows (least privilege) #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
80859ac
ci: add explicit top-level permissions to all workflows (least privil…
May 4, 2026
47b33c5
ci: restore write scopes regressed by top-level read-all
May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/benchmark.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,25 @@ on:
required: false
type: string

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all
Comment thread
coderabbitai[bot] marked this conversation as resolved.

concurrency:
group: benchmark-${{ github.ref }}
cancel-in-progress: true

jobs:
benchmark:
runs-on: ubuntu-latest
# Override read-all to keep the 'Comment on PR' step working — the
# peter-evans/create-or-update-comment action requires both
# issues:write and pull-requests:write to post benchmark results.
# CodeRabbit PR #39 finding (benchmark.yaml:29).
permissions:
contents: read
issues: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
default: false
description: "Build for both amd64 and arm64"

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
build:
runs-on: ubuntu-latest
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/bypass.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: build
on:
workflow_dispatch:

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
reset-run-number:
runs-on: ubuntu-latest
Expand All @@ -18,6 +22,13 @@ jobs:

pr-merged:
needs: reset-run-number
# Scopes the reusable workflow's docker-build / create-release jobs need.
# Mirrors pr-merged.yaml's pr-merged job — required because the top-level
# 'permissions: read-all' caps what the called workflow can request.
permissions:
id-token: write
packages: write
contents: write
uses: ./.github/workflows/incluster-comp-pr-merged.yaml
with:
IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/node-agent
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/component-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
# -------------------------------------------------------------------
# Detect what changed to decide whether an image rebuild is needed.
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/go-basic-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ on:
GITGUARDIAN_API_KEY:
required: false

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all
Comment thread
coderabbitai[bot] marked this conversation as resolved.

jobs:
Check-secret:
name: check if secrets are set
Expand Down Expand Up @@ -72,6 +76,15 @@ jobs:
name: Create cross-platform build
# needs: [ Setup-Environment ]
runs-on: ubuntu-latest
# Override read-all to let github/codeql-action/analyze upload its
# SARIF results — without security-events:write the upload silently
# fails (masked by continue-on-error on the CodeQL steps).
# NOTE: this is a workflow_call reusable, so the caller must ALSO
# grant security-events:write — pr-created.yaml's pr-created job
# already does. CodeRabbit PR #39 finding (go-basic-tests.yaml:41).
permissions:
contents: read
security-events: write
env:
GITHUB_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/incluster-comp-pr-created.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ on:
GITGUARDIAN_API_KEY:
required: false

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
test:
permissions:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/incluster-comp-pr-merged.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ on:
default: false
type: boolean

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
docker-build:
if: ${{ ((contains(github.event.pull_request.labels.*.name, 'release') || contains( github.event.pull_request.labels.*.name, 'trigger-integration-test')) && github.repository_owner == 'kubescape') || inputs.FORCE }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pr-created.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
pr-created:
permissions:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pr-merged.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ on:

workflow_dispatch:

# Default to read-only at the workflow level (least privilege per Scorecard).
# Jobs that need elevated scopes override below.
permissions: read-all

jobs:
reset-run-number:
runs-on: ubuntu-latest
Expand Down