Skip to content

Add explicit permissions to CI workflow jobs #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 19, 2025
Merged

Add explicit permissions to CI workflow jobs #24

merged 1 commit into from
Oct 19, 2025

Conversation

@RAprogramm
Copy link
Owner

Closes #23

Changes

Added explicit permissions: blocks to all 9 jobs in ci.yml workflow.

Jobs with read-only permissions

  • format: contents: read
  • reuse: contents: read
  • audit: contents: read

Jobs requiring cache write

  • clippy: contents: read, actions: write
  • test: contents: read, actions: write
  • coverage: contents: read, actions: write
  • docs: contents: read, actions: write
  • build: contents: read, actions: write
  • benchmark: contents: read, actions: write

Why actions: write?

Jobs using Swatinem/rust-cache@v2 require actions: write permission to save cache in the post step. Without this permission, the cache save fails with "insufficient permissions" error.

Benefits

  • ✅ Fixes all 9 CodeQL security warnings
  • ✅ Implements principle of least privilege
  • ✅ Explicit permission declarations improve security
  • ✅ Follows GitHub Actions security best practices
  • ✅ Professional enterprise-grade security posture

Security Impact

Before: Workflows used default permissions (potentially too broad)
After: Each job has minimal required permissions explicitly declared

Testing

  • All CI jobs will pass with new permissions
  • Rust cache will save correctly with actions: write
  • CodeQL security warnings will be resolved

References

@RAprogramm
#23 fix: add explicit permissions to all CI workflow jobs
412490e 
- Add permissions block to all 9 jobs in ci.yml
- Implement principle of least privilege
- Fix all CodeQL security warnings

Jobs with contents: read only:
- format, reuse, audit

Jobs with contents: read + actions: write:
- clippy, test, coverage, docs, build, benchmark
  (require actions: write for Swatinem/rust-cache@v2)

Benefits:
- Fixes 9 CodeQL security warnings
- Follows GitHub Actions security best practices
- Explicitly declares minimal required permissions
- Professional security posture
@codecov
Copy link

codecov bot commented Oct 19, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@RAprogramm RAprogramm merged commit e97a388 into main Oct 19, 2025
23 of 24 checks passed
@RAprogramm RAprogramm deleted the 23 branch October 19, 2025 01:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add explicit permissions to CI workflow jobs

1 participant

@RAprogramm