task: Permissions hardening across all workflow files (PM-22119)#855
Merged
task: Permissions hardening across all workflow files (PM-22119)#855
Conversation
Contributor
|
KICS version: v2.1.19
|
12 tasks
gilescope
approved these changes
Mar 5, 2026
Harden GitHub Actions workflow permissions across all workflow files by applying least-privilege principles (M-F005, M-F006, M-F013, M-F015). Made-with: Cursor
Move workflow-level permissions to per-job declarations. Set
permissions: {} at workflow level (deny all by default). Add
permissions: { contents: read } to 14 test/build-only jobs that
previously inherited id-token:write, contents:write, packages:write,
and attestations:write. Existing job-level overrides on 7 scoped
jobs are preserved.
Ref: PM-22119
Made-with: Cursor
Move workflow-level permissions to per-job declarations. Set
permissions: {} at workflow level. Add minimal per-job permissions
to all 11 jobs based on their actual needs.
Ref: PM-22119
Made-with: Cursor
Add permissions blocks to 9 main repo workflow files that previously
inherited repository defaults. 7 files get workflow-level
permissions: { contents: read }. prs.yml and security-audit-scan.yml
get permissions: {} with per-job scoping for their write needs.
Ref: PM-22119
Made-with: Cursor
Updates indexer submodule to include M-F006 (permissions blocks) and M-F015 (explicit secret passing) changes. Ref: PM-22119 Made-with: Cursor
…into task/PM-22119-permissions-hardening
The sbom-scan-node and sbom-scan-toolkit jobs call the reusable
sbom-scan-image.yml workflow and need packages:write, id-token:write,
and attestations:write. These were lost when the workflow-level
permissions changed to permissions: {}.
Ref: PM-22119
Made-with: Cursor
Made-with: Cursor
Point to indexer main which has published Docker images, resolving the build-indexer-images CI failure. Indexer permissions changes tracked separately in midnightntwrk/midnight-indexer#866. Ref: PM-22119 Made-with: Cursor
…les-image.yml File was deleted on main and modified in our branch (permissions added). Accept the deletion since the workflow no longer exists upstream. Made-with: Cursor
Reset indexer submodule pointer to 3f0a8ef (same as main). Indexer permissions changes tracked in midnightntwrk/midnight-indexer#866. Ref: PM-22119 Made-with: Cursor
m2ux
force-pushed
the
task/PM-22119-permissions-hardening
branch
from
079d025 to
ad62e09
Compare
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
* minimal setup for testing minimal ci.yml * add to full setup * Replace use of earthly in dispatch * Remove redundant earthly files * update chain spec creation code * fix artifact upload path * fix: to-build logic + deny.toml * fix: unicode * fix: CDLA * fix: apache * fix: GPL * fix: GPL * fix: unused-allow * fix. allow * fix: allow * fix: order * fix: don't check licenses * fix: to-build and remove non linux x86_64 builds * fix: overwrite flake * fix: no to-build * fix: clean * fix: debug * fix: rm * fix. sha * fix: fetch depth * fix: remove devshell tests * fix: build and push * chore: remove unused files blabla and foobar * fix:: sha --------- Co-authored-by: tobias pflug <tobias.pflug@gmail.com>
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Harden GitHub Actions workflow permissions across 18 files by applying least-privilege principles: set
permissions: {}at workflow level and move scopes to per-job declarations. Eliminatessecrets: inheritfrom indexer reusable workflow calls.🎫 Ticket 📐 Engineering
Motivation
The repository's CI/CD workflows grant overly broad permissions.
continuous-integration.ymldeclares 4 write scopes at workflow level inherited by 23 jobs (14 only need read access).release-image.ymldeclares 5 write scopes inherited by all jobs. 14 workflow files have nopermissions:block at all, inheriting repository defaults. Two indexer files pass all secrets to reusable workflows viasecrets: inherit.This over-permissioning increases the blast radius of supply-chain or CI/CD attacks. A compromised dependency or malicious PR could trigger jobs with unintended write access to packages, contents, or attestations.
Changes
permissions: {}at workflow level; add per-jobcontents: readto 14 test/build jobs; add full SBOM scopes to 2 SBOM scan jobspermissions: {}at workflow level; add minimal per-job permissions to all 11 jobscontents: read,prs.ymlgetspull-requests: write,security-audit-scan.ymlgetssecurity-events: writepermissions: { contents: read }at workflow levelsecrets: inheritwith explicit passing of 7 consumed secrets📌 Submission Checklist
🔱 Fork Strategy
🗹 TODO before merging