Skip to content

fix(ci): set least-privilege permissions on the CI workflow#964

Open
jedrazb wants to merge 1 commit into
mainfrom
fix/codeql-ci-workflow-permissions
Open

fix(ci): set least-privilege permissions on the CI workflow#964
jedrazb wants to merge 1 commit into
mainfrom
fix/codeql-ci-workflow-permissions

Conversation

@jedrazb

@jedrazb jedrazb commented Jun 20, 2026
edited by blacksmith-sh Bot
Loading

Copy link
Copy Markdown
Contributor

Resolves the three medium-severity CodeQL actions/missing-workflow-permissions alerts in .github/workflows/ci.yml.

The workflow declared no permissions, so its lint, test, and build jobs ran with the default read/write GITHUB_TOKEN. They only need to read the repository, so this adds a top-level permissions: contents: read (least privilege, inherited by all jobs).

CI/workflow-only change, no package impact (no changeset).

🤖 Generated with Claude Code

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@jedrazb @claude
fix(ci): set least-privilege permissions on the CI workflow
2ba85c4 
Declare a top-level `permissions: contents: read` so the lint, test, and
build jobs run with a read-only GITHUB_TOKEN instead of the default
read/write token.

Resolves CodeQL actions/missing-workflow-permissions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docx-editor Ready Ready Preview, Comment Jun 20, 2026 9:27pm

Request Review

@eigenpal-release-pal

eigenpal-release-pal Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

All contributors have signed the CLA ✍️ ✅

Posted by the CLA bot.

@greptile-apps

greptile-apps Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR resolves three CodeQL actions/missing-workflow-permissions alerts by adding an explicit top-level permissions: contents: read block to the CI workflow, replacing the previous implicit default of full read/write GITHUB_TOKEN access.

  • All three jobs (lint, test, build) only checkout code and run local scripts, so contents: read is the correct minimum scope — no write access to contents, packages, pull-requests, or any other resource is needed.
  • The change is a four-line addition with no impact on job logic, dependencies, or the published packages.

Confidence Score: 5/5

Safe to merge — the change is a minimal four-line addition that only restricts what the GITHUB_TOKEN can do; it cannot break any of the existing job steps.

All three jobs (lint, test, build) only check out the repository and run local scripts; none of them write to the repo, post comments, publish packages, or interact with any GitHub API that requires broader token scopes. Restricting to contents: read is therefore the correct and complete fix.

No files require special attention.

Important Files Changed
Filename Overview
.github/workflows/ci.yml Adds top-level permissions: contents: read so all three jobs inherit least-privilege GITHUB_TOKEN access; no functional logic changed.

Sequence Diagram

 
%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant GH as GitHub Actions
    participant Token as GITHUB_TOKEN
    participant lint as lint job
    participant test as test job
    participant build as build job

    Note over GH,build: Before: default read/write token (implicit)
    GH->>Token: issue token (read+write)
    Token-->>lint: full read/write access
    Token-->>test: full read/write access
    Token-->>build: full read/write access

    Note over GH,build: After: permissions: contents: read (explicit, least-privilege)
    GH->>Token: issue token (contents: read only)
    Token-->>lint: read-only access
    Token-->>test: read-only access
    Token-->>build: read-only access
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant GH as GitHub Actions
    participant Token as GITHUB_TOKEN
    participant lint as lint job
    participant test as test job
    participant build as build job

    Note over GH,build: Before: default read/write token (implicit)
    GH->>Token: issue token (read+write)
    Token-->>lint: full read/write access
    Token-->>test: full read/write access
    Token-->>build: full read/write access

    Note over GH,build: After: permissions: contents: read (explicit, least-privilege)
    GH->>Token: issue token (contents: read only)
    Token-->>lint: read-only access
    Token-->>test: read-only access
    Token-->>build: read-only access
Loading

Reviews (1): Last reviewed commit: "fix(ci): set least-privilege permissions..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jedrazb