Skip to content

fix(ci): tighten workflow GITHUB_TOKEN to least privilege (Scorecard Token-Permissions)#379

Closed
seonghobae wants to merge 1 commit into
mainfrom
fix/code-scanning-alerts
Closed

fix(ci): tighten workflow GITHUB_TOKEN to least privilege (Scorecard Token-Permissions)#379
seonghobae wants to merge 1 commit into
mainfrom
fix/code-scanning-alerts

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

Remediates the fixable Scorecard Token-Permissions code-scanning alerts on the org .github workflows by applying least privilege: the workflow-level GITHUB_TOKEN is kept read-only and every write scope is declared only on the job that needs it. No functionality is removed — each write grant is preserved at job scope.

Alerts fixed in code

Alert File Fix
#43 strix.yml Moved top-level id-token:write + statuses:write onto the strix scan job (previously it had no explicit block and inherited the broad top-level token). Workflow-level token is now read-only; the publish job keeps its own job-scoped writes.
#42 security-scan.yml Dropped redundant top-level security-events:write — the osv-scan, trivy-fs, and scorecard jobs each already declare it at job scope.
#41 osv-scanner-pr.yml Dropped redundant top-level security-events:write — the osv-scan reusable-workflow job already declares it at job scope.
#9 pr-review-merge-scheduler.yml Added a least-privilege top-level permissions: contents: read default (workflow previously had none, so jobs inherited the broad default token). scan-pr-queue keeps its own job-scoped writes.
#8 pr-review-fix-scheduler.yml Added a least-privilege top-level permissions: contents: read default. dispatch-review-fixes keeps its own job-scoped writes.

These are hardening changes; they take effect once Scorecard re-analyzes main after merge.

Not changed (recorded as central-config / required-by-design — deliberately not weakened)

Testing

Full pytest suite: 171 passed. The 3 failing tests (test_noema_review_gate, two test_opencode_agent_contract) are pre-existing on the base branch (stale contract assertions like default: "-1"), unrelated to these permission edits — verified by running them against a clean tree.

🤖 Generated with Claude Code

Scorecard Token-Permissions findings on the org .github workflows. Each fix
follows least privilege — the workflow-level token is read-only and write
scopes live only on the jobs that need them. No functionality is removed;
every write grant is preserved at job scope where it was already (or is now)
declared.

- strix.yml (alert #43): move top-level id-token:write + statuses:write onto
  the `strix` scan job (which had no explicit block and relied on the broad
  top-level token); workflow-level token is now read-only. The publish job
  keeps its own job-scoped writes.
- security-scan.yml (alert #42): drop redundant top-level security-events:write
  — the osv-scan, trivy-fs and scorecard jobs each already declare it.
- osv-scanner-pr.yml (alert #41): drop redundant top-level security-events:write
  — the osv-scan reusable-workflow job already declares it at job scope.
- pr-review-merge-scheduler.yml (alert #9): add a least-privilege top-level
  `permissions: contents: read` default; scan-pr-queue keeps its own writes.
- pr-review-fix-scheduler.yml (alert #8): add a least-privilege top-level
  `permissions: contents: read` default; dispatch-review-fixes keeps its own.

Tests: full suite unchanged (171 pass; 3 pre-existing stale-contract failures
present on base, unrelated to permissions).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
@seonghobae

Copy link
Copy Markdown
Contributor Author

Superseded by #382, which includes this least-privilege token fix plus the Trivy log visibility and CI regression fixes, all in one current branch.

@seonghobae seonghobae closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant