Skip to content

Scope dependabot-repair workflow token permissions to least privilege#43411

Draft
pelikhan with Copilot wants to merge 3 commits into
mainfrom
copilot/static-analysis-report-2026-07-04
Draft

Scope dependabot-repair workflow token permissions to least privilege#43411
pelikhan with Copilot wants to merge 3 commits into
mainfrom
copilot/static-analysis-report-2026-07-04

Conversation

Copilot AI commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

The static-analysis report was flat overall, with one actionable non-FP signal: zizmor excessive-permissions on dependabot-repair.lock.yml (agent job). This change narrows default workflow permissions so the compiled job no longer inherits broad token scope.

  • Problem focus

    • Address the single medium-severity excessive-permissions finding in dependabot-repair while leaving accepted FP clusters unchanged.
  • Workflow source change (.github/workflows/dependabot-repair.md)

    • Replaced top-level permissions: read-all with explicit read-only scopes:
      • actions: read
      • contents: read
      • issues: read
      • pull-requests: read
  • Generated workflow impact (.github/workflows/dependabot-repair.lock.yml)

    • Recompiled output now reflects scoped read permissions on the agent job instead of read-all.
    • Existing write scopes on downstream safe_outputs/conclusion jobs remain explicit and unchanged.
# before
permissions: read-all

# after
permissions:
  actions: read
  contents: read
  issues: read
  pull-requests: read

Copilot AI linked an issue Jul 4, 2026 that may be closed by this pull request
Copilot AI and others added 2 commits July 4, 2026 16:34
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update static analysis report for 2026-07-04 Scope dependabot-repair workflow token permissions to least privilege Jul 4, 2026
Copilot AI requested a review from pelikhan July 4, 2026 16:45
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage — Run §28715668077

Field Value
Category chore
Risk 🟢 Low
Score 70/100
Impact 35/50 — scopes dependabot-repair token to least privilege (security hardening)
Urgency 25/30 — security improvement; +6/-2 YAML, 2 files
Quality 10/20 — draft, no CI yet
Action 🚀 fast_track
Batch pr-batch:new-workflows

Minimal low-risk YAML change adding correct token permission scopes. Recommend undraft → fast-track.

Generated by 🔧 PR Triage Agent · 113.5 AIC · ⌖ 13 AIC · ⊞ 5.5K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[static-analysis] Report - 2026-07-04

2 participants