github/workflows: Improve workflow security#180
Conversation
skoeva
added
github_actions
There was a problem hiding this comment.
Pull request overview
This PR aims to improve GitHub Actions workflow security by consolidating permissions and removing duplicates. It adds top-level permissions to two workflows that previously lacked them and attempts to deduplicate permissions in the CodeQL workflow.
Changes:
- Added top-level
permissions: contents: readtoupdate-headlamp-submodule.ymlandscorecard-analysis.yml - Removed duplicate permissions from top-level and job-level in
codeql-analysis.yml
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/update-headlamp-submodule.yml | Adds top-level read-only content permission while job retains write permission override |
| .github/workflows/scorecard-analysis.yml | Adds top-level read-only content permission while job retains security-events and id-token write permissions |
| .github/workflows/codeql-analysis.yml | Attempts to remove duplicate permissions but incorrectly removes contents: read from job-level, breaking checkout functionality |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
illume
left a comment
illume
left a comment
There was a problem hiding this comment.
Please add the contents read in the jobs permissions as copilot requests.
Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
Signed-off-by: Evangelos Skopelitis <eskopelitis@microsoft.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
These changes update the GitHub Actions workflows by removing duplicate permissions and setting top-level permissions where they aren't defined, improving security.