Skip to content

fix(ci): least-privilege top-level GITHUB_TOKEN permissions#384

Closed
seonghobae wants to merge 1 commit into
mainfrom
fix/token-permissions-least-privilege
Closed

fix(ci): least-privilege top-level GITHUB_TOKEN permissions#384
seonghobae wants to merge 1 commit into
mainfrom
fix/token-permissions-least-privilege

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

Fixes OpenSSF Scorecard Token-Permissions code-scanning alerts (excessive GITHUB_TOKEN scope / principle-of-least-privilege) by setting each affected workflow's top-level permissions to read-only and declaring the required write scopes at the job level — the same pattern already used by scorecard-analysis.yml (permissions: read-all top + job-level writes).

Alerts addressed

Alert File Finding Fix
#43 strix.yml (L100) topLevel statuses: write top level → contents: read; write scopes (id-token, statuses, actions, models) moved to the strix job
#42 security-scan.yml (L41) topLevel security-events: write top level → contents: read; all jobs already declare their own scopes
#41 osv-scanner-pr.yml (L20) topLevel security-events: write top level → contents: read; osv-scan keeps job-level security-events: write
#9 pr-review-merge-scheduler.yml (L1) no topLevel permission defined add top-level contents: read; scan-pr-queue keeps its explicit write scopes

Safety

  • No functional job loses any permission. Every job that performs writes (OIDC exchange, SARIF upload, commit statuses, PR/merge mutations) retains its exact write scopes at the job level. Only the top-level defaults and the echo-only cancel-closed-pr-runs jobs are tightened to read-only.
  • No workflow, threshold, or gate is weakened.
  • No OpenCode timing/config (opencode-review.yml, OPENCODE_* env) touched; no run-cancellation behavior changed.

Note on alert #21 (osv-scanner-pr.yml jobLevel security-events: write)

That job-level security-events: write is the minimum scope required for the reusable google/osv-scanner-action PR workflow to upload its SARIF to code scanning — which is the entire purpose of this file (satisfies the org code_scanning(osv-scanner) ruleset). Scorecard flags it only because it cannot see the recognized upload-sarif action inside the reusable workflow. Removing it would break SARIF upload and the org gate, so it is retained by design.

Scorecard Token-Permissions (CWE: excessive GITHUB_TOKEN scope) flagged
top-level write permissions across four workflows. Set each workflow's
top-level permissions to read-only (contents: read) and keep the required
write scopes declared at the job level:

- strix.yml: move id-token/statuses write + actions/models read to the
  strix job; top level now contents: read (fixes alert #43).
- security-scan.yml: top level -> contents: read; all jobs already
  declare their own scopes (fixes alert #42).
- osv-scanner-pr.yml: top level -> contents: read; osv-scan keeps its
  job-level security-events: write for SARIF upload (fixes alert #41).
- pr-review-merge-scheduler.yml: add top-level contents: read; the
  scan-pr-queue job keeps its explicit write scopes (fixes alert #9).

No effective permission of any functional job is reduced.
@seonghobae

Copy link
Copy Markdown
Contributor Author

Superseded by #382, which contains the least-privilege token-permission fixes from this PR plus the central OSV/Trivy failure-log visibility and review-cadence fixes now being validated on the newer head.

@seonghobae seonghobae closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant