Skip to content

gha/sync-release-branch: Use actions write permission#7102

Merged
vvoland merged 1 commit into
docker:masterfrom
vvoland:sync-master
Jul 10, 2026
Merged

gha/sync-release-branch: Use actions write permission#7102
vvoland merged 1 commit into
docker:masterfrom
vvoland:sync-master

Conversation

@vvoland

@vvoland vvoland commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

workflows is not a supported GITHUB_TOKEN permission key, so GitHub rejects the workflow definition. Use the valid actions permission for both jobs.

`workflows` is not a supported GITHUB_TOKEN permission key, so GitHub
rejects the workflow definition. Use the valid `actions` permission
for both jobs.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland added this to the 29.7.0 milestone Jul 10, 2026
@vvoland vvoland self-assigned this Jul 10, 2026

@thaJeztah thaJeztah left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

The fix correctly replaces the invalid workflows: write permission key with a valid one, unblocking the workflow. However, both jobs only perform git push operations that require contents: write (already present) — actions: write grants substantially broader capabilities than needed (canceling runs, deleting logs, managing secrets). The least-privilege fix would be to remove the second permission entry entirely.

permissions:
contents: write
workflows: write
actions: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium/security] actions: write is broader than required for this job's git-only operations

Both this job's steps (git push origin HEAD:refs/heads/$temporary_branch) only require contents: write, which is already granted. The actions: write scope was added as a replacement for the previously-invalid workflows: write, but it grants significantly more than is needed:

  • Cancel or re-trigger workflow runs
  • Delete workflow run logs and artifacts
  • Manage repository-level Actions secrets
  • Manage self-hosted runner group assignments

If this workflow were compromised (e.g. via a malicious pinned action), the actions: write token could be used to tamper with other workflow runs or wipe CI audit logs.

Suggested fix: Remove actions: write entirely — contents: write alone is sufficient for all git operations this job performs.

Suggested change
actions: write
permissions:
contents: write
Confidence Score
🟡 moderate 75/100

permissions:
contents: write
workflows: write
actions: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium/security] actions: write is broader than required for this job's git-only operations

The push-release-branch job only performs git push origin FETCH_HEAD:$RELEASE_BRANCH and git push origin --delete $TEMPORARY_BRANCH — both exclusively need contents: write, which is already present. The actions: write scope was added as a substitute for the previously-invalid workflows: write, but it confers unnecessary capabilities:

  • Cancel or re-trigger workflow runs
  • Delete workflow run logs and artifacts
  • Manage repository-level Actions secrets

This job runs in a docker-releases environment, which may have elevated trust — keeping permissions minimal here is particularly important.

Suggested fix: Remove actions: write entirely — contents: write alone is sufficient.

Suggested change
actions: write
permissions:
contents: write
Confidence Score
🟡 moderate 75/100

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah not sure if that will work, but Kevin said there's a chance and I trust him!

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah not sure if that will work, but Kevin said there's a chance and I trust him!

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough to be cautious! The good news is that actions: write only governs workflow run management (canceling runs, deleting logs/artifacts, and managing secrets) — none of which this job attempts. Since the actual operations are just git push origin FETCH_HEAD:$RELEASE_BRANCH and git push origin --delete $TEMPORARY_BRANCH, they only exercise the repository's Git layer, which is covered by contents: write.

If there's concern about breaking the workflow, you could test it on a separate PR or branch first. But based on the code here, contents: write alone should be sufficient. Happy to clarify further if you'd like!

@vvoland vvoland merged commit 4837088 into docker:master Jul 10, 2026
100 of 102 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants