Skip to content

Set explicit minimum permissions on GitHub Actions workflows#1573

Merged
kmcginnes merged 1 commit intoaws:mainfrom
kmcginnes:explicit-github-action-permissions
Mar 10, 2026
Merged

Set explicit minimum permissions on GitHub Actions workflows#1573
kmcginnes merged 1 commit intoaws:mainfrom
kmcginnes:explicit-github-action-permissions

Conversation

@kmcginnes
Copy link
Copy Markdown
Collaborator

@kmcginnes kmcginnes commented Mar 10, 2026
edited
Loading

Description

Set explicit minimum permissions (contents: read) at the workflow level on all three GitHub Actions workflows. This follows the principle of least privilege and ensures any future jobs inherit restricted token permissions by default.

  • Add top-level permissions: contents: read to unit.yml (was missing entirely)
  • Move permissions from job level to workflow level in build_docker.yml
  • Move permissions from job level to workflow level in test_build_docker.yml

Validation

  • Verify each workflow file has permissions: contents: read at the top level
  • Verify no job-level permissions blocks remain
  • CI workflows should pass as before since no functional behavior changed

Related Issues

N/A

Check List

  • I confirm that my contribution is made under the terms of the Apache 2.0 license.
  • I have run pnpm checks to ensure code compiles and meets standards.
  • I have run pnpm test to check if all tests are passing.
  • I have covered new added functionality with unit tests if necessary.
  • I have added an entry in the Changelog.md.

@kmcginnes
Set explicit minimum permissions on all GitHub Actions workflows
30cef70 
Move permissions to the workflow level with contents: read for all three
workflows. This follows the principle of least privilege and ensures any
future jobs inherit the restricted token by default.

- unit.yml: Add permissions (was missing entirely)
- build_docker.yml: Move from job level to workflow level
- test_build_docker.yml: Move from job level to workflow level
@kmcginnes kmcginnes marked this pull request as ready for review March 10, 2026 19:46
@kmcginnes kmcginnes merged commit 7681429 into aws:main Mar 10, 2026
2 checks passed
@kmcginnes kmcginnes deleted the explicit-github-action-permissions branch March 10, 2026 20:02
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 10, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.92%. Comparing base (c5affc5) to head (30cef70).
⚠️ Report is 95 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #1573       +/-   ##
===========================================
+ Coverage   47.81%   64.92%   +17.11%     
===========================================
  Files         382      372       -10     
  Lines        8525     8382      -143     
  Branches     3159     3123       -36     
===========================================
+ Hits         4076     5442     +1366     
+ Misses       3070     2085      -985     
+ Partials     1379      855      -524
Flag Coverage Δ
unittests 64.92% <ø> (+17.11%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@acarbonetto acarbonetto acarbonetto approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kmcginnes @acarbonetto