Skip to content

Remove unnecessary id-token: write permissions from workflows #2962

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 2 commits into from
Nov 1, 2025
Merged

Remove unnecessary id-token: write permissions from workflows #2962

pelikhan merged 2 commits into from
Nov 1, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 1, 2025
edited
Loading

Remove unnecessary id-token: write permissions from daily-perf-improver and daily-test-improver

This PR addresses a HIGH severity excessive-permissions vulnerability identified by Zizmor security analysis.

Changes

  • Remove id-token: write from workflow-level permissions in .github/workflows/daily-perf-improver.md
  • Remove id-token: write from workflow-level permissions in .github/workflows/daily-test-improver.md
  • Recompile both workflows to regenerate .lock.yml files
  • Verify with zizmor security scanner

Analysis

Both workflows had id-token: write at workflow-level (affecting all jobs) and at the agent job level. After reviewing the actions used (checkout, upload-artifact, download-artifact, github-script, setup-node), none require OIDC authentication or id-token permissions. The comment "for auth in some actions" was outdated.

The permission has been completely removed from both workflows since it wasn't actually needed anywhere. The compiler automatically removed it from both workflow-level and job-level permissions.

Verification Results

✅ Zizmor scan completed with 0 HIGH severity findings

  • Previous: HIGH severity excessive-permissions vulnerability
  • Current: 0 high, 2 medium (unrelated artipacked warnings), 0 low, 0 informational

The excessive-permissions vulnerability has been successfully resolved.

Related to #2950

Original prompt

This section details on the original issue you should resolve

<issue_title>[task] Scope down id-token: write permissions in daily-perf-improver and daily-test-improver</issue_title>
<issue_description>## Objective
Fix HIGH severity excessive-permissions vulnerability by scoping down id-token: write permission from workflow level to job level in two workflows.

Context

Zizmor security analysis (Discussion #2950) identified that id-token: write permission is overly broad at the workflow level, increasing attack surface and potential for privilege escalation.

Approach

Move id-token: write permission from workflow-level to job-level where it's actually needed:

Before (workflow-level):

permissions:
  id-token: write
  contents: read

After (job-level):

# Workflow level - minimal permissions
permissions:
  contents: read

jobs:
  specific-job:
    permissions:
      id-token: write  # Only where needed
      contents: read

Files to Modify

  • .github/workflows/daily-perf-improver.md
  • .github/workflows/daily-test-improver.md
  • .github/workflows/daily-perf-improver.lock.yml (will be regenerated)
  • .github/workflows/daily-test-improver.lock.yml (will be regenerated)

Implementation Steps

  1. Review both workflows to identify which jobs actually need id-token: write
  2. Remove id-token: write from workflow-level permissions
  3. Add id-token: write only to specific jobs that require it
  4. Run gh aw compile daily-perf-improver daily-test-improver to regenerate .lock.yml files
  5. Verify the fix with gh aw compile --zizmor

Acceptance Criteria

  • id-token: write is removed from workflow-level permissions
  • id-token: write is added only to jobs that require it
  • Both workflows still function as intended
  • Zizmor scan shows no HIGH severity excessive-permissions for these workflows
  • Workflows are recompiled without errors
    Related to 🔒 Zizmor Security Analysis Report - November 1, 2025 #2950

AI generated by Plan Command for discussion #2950</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Changes before error encountered
128f237 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan November 1, 2025 19:31
@pelikhan
Copy link
Contributor

pelikhan commented Nov 1, 2025

@copilot keep working

Copy link
Contributor Author

Copilot AI commented Nov 1, 2025

@copilot keep working

Completed! The id-token: write permission has been removed from both workflows. Zizmor scan confirms 0 HIGH severity issues - the excessive-permissions vulnerability is fixed. ✓

Changes in commit 128f237:

  • Removed id-token: write from workflow-level permissions in both .md files
  • Recompiled workflows - permission also removed from agent jobs (not needed)
  • Verified with zizmor: 0 high, 2 medium (unrelated), 0 low findings

Copilot AI changed the title [WIP] Scope down id-token: write permissions in workflows Remove unnecessary id-token: write permissions from workflows Nov 1, 2025
@pelikhan pelikhan marked this pull request as ready for review November 1, 2025 20:52
Copilot AI review requested due to automatic review settings November 1, 2025 20:52
@pelikhan pelikhan enabled auto-merge (squash) November 1, 2025 20:52
Copilot AI reviewed Nov 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes the id-token: write permission from two GitHub Agentic Workflows. The permission was previously included with a comment indicating it was "for auth in some actions," but has now been removed from both the workflow definitions and their compiled lock files.

Key Changes

  • Removed id-token: write permission from daily-test-improver workflow
  • Removed id-token: write permission from daily-perf-improver workflow
  • Updated corresponding .lock.yml files to reflect the permission changes

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/daily-test-improver.md Removed id-token: write permission from workflow frontmatter
.github/workflows/daily-test-improver.lock.yml Removed compiled id-token: write permission from main job and safe-outputs jobs
.github/workflows/daily-perf-improver.md Removed id-token: write permission from workflow frontmatter
.github/workflows/daily-perf-improver.lock.yml Removed compiled id-token: write permission from main job and safe-outputs jobs

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit 7c37290 into main Nov 1, 2025
51 checks passed
@pelikhan pelikhan deleted the copilot/scope-down-id-token-permissions branch November 1, 2025 20:53
This was referenced Nov 2, 2025
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[task] Scope down id-token: write permissions in daily-perf-improver and daily-test-improver

2 participants

@pelikhan