Skip to content

security: add least-privilege permissions to release workflows#119

Merged
intel352 merged 1 commit into
mainfrom
sec/workflow-permissions-20260529
May 29, 2026
Merged

security: add least-privilege permissions to release workflows#119
intel352 merged 1 commit into
mainfrom
sec/workflow-permissions-20260529

Conversation

@intel352
Copy link
Copy Markdown
Contributor

@intel352 intel352 commented May 29, 2026

Summary

Fixes CodeQL actions/missing-workflow-permissions MEDIUM alerts in two release workflows by adding a top-level permissions: {} deny-all default and explicit least-privilege permissions: blocks on each job.

No workflow logic was changed — only permissions: keys were added.

Permissions added per job

release.yml

Top-level (new):

permissions: {}

Denies all scopes by default; jobs below grant only what they need.

release job (was flagged ~line 46):

permissions:
  contents: write      # gh release create, upload asset, git push branch for module-path PR
  pull-requests: write # gh pr create for v2+ module-path update

Reasoning: the Create release step runs gh release create … "$ARCHIVE" (uploads asset → contents: write). The Create PR for module path update step runs git push origin "$BRANCH_NAME" and gh pr create → both need contents: write + pull-requests: write.

bump-modules job (was flagged ~line 441):

permissions:
  contents: write      # callee commits, pushes branch, and merges PR
  pull-requests: write # callee creates and merges the bump PR
  actions: read        # callee reads workflow run status
  checks: write        # callee writes check results

Reasoning: bump-modules is a uses: delegation to auto-bump-modules.yml, which already declares these four scopes in its own top-level permissions: block. When a reusable workflow is called, the caller's GITHUB_TOKEN permissions bound what the callee receives — so the caller must carry at least the scopes the callee needs.

module-release.yml

Top-level (new):

permissions: {}

prepare-release job (read-only prep):

permissions:
  contents: read       # checkout + git tag list + find modules directory

Reasoning: this job only reads the repo (checkout, git tag -l, find modules). No writes anywhere.

release-module job (was flagged ~line 104):

permissions:
  contents: write      # gh release create, git push origin "$TAG", git push branch for module-path PR
  pull-requests: write # gh pr create for v2+ module-path update

Reasoning: the Create release step runs gh release create and then git push origin "$TAG" (tag push → contents: write). The Create PR for module path update step runs git push origin "$BRANCH_NAME" and gh pr createcontents: write + pull-requests: write.

Test plan

  • YAML validates cleanly (python3 -c "import yaml; yaml.safe_load(open(f))" passes for both files — confirmed locally before push)
  • Trigger Release workflow (workflow_dispatch) on a patch bump and confirm the release job and bump-modules job both complete successfully
  • Trigger Module Release workflow and confirm prepare-release + release-module both complete successfully
  • Confirm CodeQL actions/missing-workflow-permissions alerts are resolved after the next scan

🤖 Generated with Claude Code

@intel352 @claude
security: add least-privilege permissions to release workflows
91bd47a 
Resolves CodeQL actions/missing-workflow-permissions MEDIUM alerts in
release.yml (jobs: release, bump-modules) and module-release.yml
(jobs: prepare-release, release-module).

Top-level `permissions: {}` added to both files to deny all scopes by
default.  Each job is granted only the minimum scopes its steps require:

release.yml / release:
  contents: write      — gh release create, upload asset, git push branch (module-path PR)
  pull-requests: write — gh pr create for v2+ module-path update

release.yml / bump-modules:
  contents: write      — callee (auto-bump-modules) commits, pushes, merges
  pull-requests: write — callee creates and merges bump PR
  actions: read        — callee reads workflow run status (mirrors callee declaration)
  checks: write        — callee writes check results (mirrors callee declaration)

module-release.yml / prepare-release:
  contents: read       — checkout + git tag list + find modules (read-only)

module-release.yml / release-module:
  contents: write      — gh release create, git push origin "$TAG", git push branch
  pull-requests: write — gh pr create for v2+ module-path update

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@intel352 intel352 merged commit fb418e6 into main May 29, 2026
8 checks passed
@intel352 intel352 deleted the sec/workflow-permissions-20260529 branch May 29, 2026 10:57
@intel352 intel352 mentioned this pull request May 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@intel352