chore(ci): add explicit GITHUB_TOKEN permissions to workflows

[cbullinger]

Summary

Resolves 8 open CodeQL actions/missing-workflow-permissions findings by declaring minimal GITHUB_TOKEN scopes on every workflow.

Changes

• Audit workflows (audit-tanstack, audit-python-fastapi): contents: read
• Test workflows (TanStack, Python, Express, Java): contents: read, actions: write (required for upload-artifact)
• Security-Notification: contents: read (checkout only; Dependabot API uses DEPENDABOT_PAT)
• new-issue-notify: permissions: {} (no GITHUB_TOKEN usage; Slack via secret only)

Test plan

• CI workflows still pass on this PR
• Code scanning alerts feat: set up repo structure and backend connection #1–Test Issue #8 close after merge (or on next default-branch scan)

Related

• Part 1 of CodeQL remediation (see code scanning)

Made with Cursor

[Copilot]

Pull request overview

This PR addresses CodeQL actions/missing-workflow-permissions findings by explicitly declaring minimal GITHUB_TOKEN permissions across all GitHub Actions workflows in the repo.

Changes:

• Added permissions: { contents: read } to workflows that only need repository read access (checkout/audits/security notification).
• Added permissions: { contents: read, actions: write } to test workflows that upload artifacts via actions/upload-artifact.
• Set permissions: {} on the issue-to-Slack notification workflow to explicitly disable GITHUB_TOKEN access.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/Security-Notification.yml	Adds contents: read for checkout while using a PAT for Dependabot API calls.
.github/workflows/run-tanstack-tests.yml	Adds contents: read + actions: write for artifact upload in test workflow.
.github/workflows/run-python-tests.yml	Adds contents: read + actions: write for artifact upload in test workflow.
.github/workflows/run-java-spring-boot-tests.yml	Adds contents: read + actions: write for artifact upload in test workflow.
.github/workflows/run-express-tests.yml	Adds contents: read + actions: write for artifact upload in test workflow.
.github/workflows/new-issue-notify.yml	Sets permissions: {} since the job posts to Slack without needing GitHub API access.
.github/workflows/audit-tanstack.yml	Adds contents: read for checkout-only dependency audit workflow.
.github/workflows/audit-python-fastapi.yml	Adds contents: read for checkout-only dependency audit workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dacharyc]

Nice, tightly-scoped least-privilege change — the permissions: {} on new-issue-notify and contents: read on the audit/Security-Notification workflows all look correct. One thing worth double-checking before merge:

actions: write on the 4 test workflows is likely unnecessary

The PR notes actions: write is "required for upload-artifact", but I don't think that's the case. actions/upload-artifact@v4 uploads via GitHub's Results service authenticated by ACTIONS_RUNTIME_TOKEN — a separate token from GITHUB_TOKEN. The actions: write scope governs the /repos/.../actions/* REST endpoints (cancelling runs, deleting artifacts, managing workflows), none of which upload/download-artifact touch. GitHub's upload-artifact docs also list no permissions requirement, and these workflows otherwise only run actions/checkout (needs contents: read).

If that holds, all four can drop to:

permissions:
  contents: read

which keeps the change fully aligned with the least-privilege goal (granting an unused write scope is the kind of thing CodeQL nudges against).

Suggested verification: since these test workflows are heavy (Atlas CLI, sample-data restore, etc.) and only trigger on development/frameworks-tanstack, the cheapest way to confirm is a throwaway workflow on a matching branch — just checkout + write a file + upload-artifact@v4 under permissions: { contents: read } — and confirm the upload step succeeds. (Note: act/local runners can't verify this — they don't enforce GITHUB_TOKEN permission scoping at all.) If it passes, drop actions: write from all four.

[cbullinger]

Good catch — dropped actions: write from all four test workflows in d878893's follow-up commit (b4b4425 → latest).

actions/upload-artifact@v4 uploads via ACTIONS_RUNTIME_TOKEN (Results service), not the GITHUB_TOKEN actions: write scope. These workflows only need contents: read for checkout.

All four test workflows now use:

permissions:
  contents: read

[cbullinger]

Correction on commit hash above — the permissions change is in 1940d78.

[cbullinger]

Added a minimal verification workflow (verify-artifact-permissions.yml) — checkout + upload-artifact@v4 under permissions: { contents: read } only.

Result: run succeeded in 11s — https://github.com/mongodb/docs-sample-apps/actions/runs/27133317095

This confirms actions: write is not needed for artifact upload. The workflow is marked temporary in-file; we can delete it in a follow-up commit before merge (or right after merge).

[dacharyc]

LGTM - thanks for updating the perms! ✅