fix(ci): drop root contents: write to contents: read (CIS GHA 1.2)#253
Merged
Conversation
Three workflows previously declared `permissions: contents: write` at file scope, granting the broadest blast radius to every job. Only a handful of jobs actually need to write the repo (tag-release, welder deploy, sticky-comment posting); every other job — build-setup, lint, test, build-platforms, build-binaries, docker-build, docker-build-push, build-docs, prepare — is read-only. Per CIS GitHub Actions Benchmark §1.2 and OWASP CICD-SEC-5, this PR drops the root grant to `contents: read` and explicitly grants `contents: write` only on the jobs that need it. | Workflow | Root | Per-job writes | |---|---|---| | branch.yaml | read | finalize (already had it) | | branch-preview.yaml | read | publish-sc-preview, publish-git-tag, finalize | | push.yaml | read | docker-finalize (tag-release), finalize | Verification ============ - All 5 workflows scanned with the SC Semgrep ruleset (`simple-container-com/actions/semgrep-scan/rules/github-actions.yml`): **0 findings** across the existing 19 rules. - Every `actions/checkout` still uses `persist-credentials: false` (preserved from PR #238). - No OIDC `id-token: write` was previously set anywhere — none is needed for the current writes (token-issuing OIDC isn't used). - The `branch.yaml` PPE caveat from PR #238 is deliberately out of scope here: the team-accepted defense-in-depth comment + nosemgrep on that workflow indicate the proper `workflow_run`-gated split is tracked separately. This PR only tightens permissions, not triggers. Frameworks satisfied ==================== - CIS GitHub Actions Benchmark §1.2 - OWASP CICD-SEC-1 (insufficient flow control), CICD-SEC-5 (PBAC) - NIST SP 800-218 PS.1 (protect all forms of code) - OpenSSF Scorecard "Token-Permissions" check Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Semgrep Scan ResultsRepository:
Scanned at 2026-05-13 13:18 UTC |
Security Scan ResultsRepository:
Scanned at 2026-05-13 13:19 UTC |
smecsia
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tightens root workflow permissions on `branch.yaml`, `branch-preview.yaml`, and `push.yaml`.
Before: every job inherited `contents: write`. Today only a handful of jobs need it (tag-release, welder deploy, sticky-comment posting); build/test/lint/docker-build are all read-only. This PR drops the root grant and adds explicit per-job `contents: write` only where required.
branch.yamlreadfinalize(already had it)branch-preview.yamlreadpublish-sc-preview,publish-git-tag,finalizepush.yamlreaddocker-finalize(tag-release),finalizeVerification
Frameworks satisfied
Test plan