Calling workflow: Workflow does not contain permissions

[karl19]

So we have this model that all apps use reusable workflow at centralised repo. We try not to have permissions configured at calling workflows so that reusable(called) workflow permissions will be used instead. This way whenever permissions changed at reusable workflow, we dont need to update all 100+ apps that calls the reusable workflow.

But codeQL flags "Workflow does not contain permissions"

Is it possible that codeQL can look into the called(reusable) workflow not complain anymore?

[mbg]

Hi @karl19 👋🏻

Thanks for opening this issue. The actions/missing-workflow-permissions query, which is responsible for the "Workflow does not contain permissions" alert, already checks the workflow triggers and will not raise an alert if the only trigger is workflow_call.

Can you confirm whether your reusable workflow has triggers other than workflow_call? If so, then the query is working correctly as you'd want the explicit permissions for the case where the workflow is triggered by an event other than workflow_call.

You have a bunch of options to work around that. If you want additional triggers to e.g. test the reusable workflow, one easy change would perhaps be to have a separate workflow (with the non-workflow_call triggers and the permissions) that calls the reusable workflow?

[karl19]

Hi @mbg , thanks for the quick response.

All my reusable workflows (we have a calling chain with depth less than 3) only has workflow_call trigger, which means I should not need explicit permissions as well as being flagged by codeQL?

[mbg]

Sorry, I think I mixed up what your problem is. You should not be getting a actions/missing-workflow-permissions alert if your workflow only has a workflow_call trigger. That applies to the reusable workflow, if you're scanning that with CodeQL.

For the calling workflow(s), you must have the permissions or you will get the actions/missing-workflow-permissions alert. That's strongly recommended, because the called workflow gets whatever permissions the calling workflow has. See https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations#access-and-permissions-for-nested-workflows. If you don't provide explicit permissions in the caller, then this is a security risk because your called workflow may get permissions it shouldn't have. While that is more work to maintain, it ensures that you don't allow the reusable workflow to perform actions that it shouldn't be able to perform.

If you really do want the reusable workflow to have all permissions, then you could add explicit permissions for all available permissions to the calling workflows and would only have to change these if new permissions are introduced.

Alternatively, you could disable the actions/missing-workflow-permissions query in the CodeQL configuration, but you wouldn't get alerts if any workflow is missing permissions.

[karl19]

right thanks @mbg for the detailed explanation