Skip to content

Add explicit permissions to CI workflow jobs #23

New issue
New issue
Closed
#24
Closed
Add explicit permissions to CI workflow jobs#23
#24
@RAprogramm

Description

@RAprogramm
RAprogramm
opened on Oct 19, 2025

Fix CodeQL security warnings by adding explicit permissions to all workflow jobs.

Problem

CodeQL security scanning found 9 warnings in ci.yml:

  • All jobs lack explicit permissions declarations
  • This violates security best practices (principle of least privilege)
  • Default permissions may be too broad

Root Cause

GitHub Actions workflows should explicitly declare minimal required permissions for each job instead of relying on default permissions.

Solution

Add explicit permissions: block to each job with minimal required permissions:

Read-only jobs (contents: read)

  • format
  • clippy
  • reuse
  • docs
  • build
  • benchmark

Jobs requiring cache writes (contents: read, actions: write)

  • test (for Swatinem/rust-cache@v2)
  • coverage (for Swatinem/rust-cache@v2)
  • audit (for Swatinem/rust-cache@v2)

Additional Improvement

Integrate cargo-deny into audit job:

  • Install cargo-deny via taiki-e/install-action
  • Run cargo deny check after cargo-audit
  • Ensures supply chain security checks run in CI

Benefits

  • Fixes all 9 CodeQL security warnings
  • Implements principle of least privilege
  • Professional security posture
  • Integrates cargo-deny into CI pipeline
  • Complies with GitHub security best practices

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions