Skip to content

Tighten the permissions of the reusable workflows we export#324

Merged
azazeal merged 11 commits into
mainfrom
panos/perms
May 20, 2026
Merged

Tighten the permissions of the reusable workflows we export#324
azazeal merged 11 commits into
mainfrom
panos/perms

Conversation

@azazeal
Copy link
Copy Markdown
Contributor

@azazeal azazeal commented May 20, 2026
edited
Loading

The reusable workflows under .github/workflows/ had a mix of permission issues. Some declared no permissions: block at all (actionlint.yml, frizbee.yml, goBuild.yml, goLint.yml, goTest.yml, govulncheck.yml, codeql-analysis.yml, zizmor.yml), so callers had to remember what to grant. Others over-granted (docker-buildx-push.yml had contents: write it never used; triage.yml granted pull-requests: write and issues: write to both of its jobs when only one needed anything; dependabot-auto-merge.yml kept contents: write and pull-requests: write left over from before it switched to a PAT). And the implicit "caller must also grant X" contract on the umbrella workflows wasn't documented anywhere.

To that end, this PR pins explicit minimum permissions on every reusable workflow, fixes over-grants on docker-buildx-push.yml, triage.yml, and dependabot-auto-merge.yml, wires security-events: write through goCI.yml's codeql call site, and adds NOTE comments documenting the caller-permission contract for the two cases where it can't be removed (actionci.yml's zizmor child, goCI.yml's codeql child).

The PR also includes a small unrelated .editorconfig tweak that respects the local tab-width setting.

Once this is merged, I'll make a pass over existing callers to amend accordingly.

@azazeal azazeal requested a review from hslatman May 20, 2026 11:09
@azazeal azazeal marked this pull request as ready for review May 20, 2026 11:09
@azazeal azazeal requested a review from a team as a code owner May 20, 2026 11:09
@azazeal azazeal enabled auto-merge (squash) May 20, 2026 11:10
@azazeal azazeal disabled auto-merge May 20, 2026 11:17
@azazeal azazeal removed the request for review from hslatman May 20, 2026 11:40
This was referenced May 20, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@azazeal azazeal merged commit a8afeec into main May 20, 2026
7 checks passed
@azazeal azazeal deleted the panos/perms branch May 20, 2026 12:30
azazeal added a commit to smallstep/linkedca that referenced this pull request May 20, 2026
@azazeal
gh: aligned code-scan-cron permissions with smallstep/workflows#324
e02a78c
@azazeal azazeal mentioned this pull request May 20, 2026
Merged
azazeal added a commit to smallstep/certificates that referenced this pull request May 20, 2026
@azazeal
gh: aligned workflow permissions with smallstep/workflows#324 (#2688)
21483fa 
* gh: aligned workflow permissions with smallstep/workflows#324

* gh: forwarded codeql secrets through code-scan-cron.yml
azazeal added a commit to smallstep/cli that referenced this pull request May 20, 2026
@azazeal
gh: aligned workflow permissions with smallstep/workflows#324
527b8bd
azazeal added a commit to smallstep/cli that referenced this pull request May 20, 2026
@azazeal
Merge pull request #1631 from smallstep/panos/workflows
5746dd2 
gh: aligned workflow permissions with smallstep/workflows#324
azazeal added a commit to smallstep/crypto that referenced this pull request May 20, 2026
@azazeal
gh: aligned workflow permissions with smallstep/workflows#324
ff715c0
azazeal added a commit to smallstep/crypto that referenced this pull request May 20, 2026
@azazeal
Merge pull request #1035 from smallstep/panos/workflows
e80e195 
gh: aligned workflow permissions with smallstep/workflows#324
azazeal added a commit to smallstep/linkedca that referenced this pull request May 20, 2026
@azazeal
gh: aligned workflow permissions with smallstep/workflows#324 (#156)
f13bcad 
* gh: aligned workflow permissions with smallstep/workflows#324

* gh: aligned code-scan-cron permissions with smallstep/workflows#324

* gh: forwarded codeql secrets through code-scan-cron.yml
azazeal added a commit to smallstep/logging that referenced this pull request May 20, 2026
@azazeal
gh: aligned workflow permissions with smallstep/workflows#324
e5d06f0
azazeal added a commit to smallstep/logging that referenced this pull request May 20, 2026
@azazeal
Merge pull request #114 from smallstep/panos/workflows
7f37947 
gh: aligned workflow permissions with smallstep/workflows#324
azazeal added a commit to smallstep/nosql that referenced this pull request May 20, 2026
@azazeal
Merge pull request #100 from smallstep/panos/workflows
c6aaa99 
gh: aligned workflow permissions with smallstep/workflows#324
azazeal added a commit to smallstep/singleflight that referenced this pull request May 20, 2026
@azazeal
gh: aligned workflow permissions with smallstep/workflows#324
ffa41eb
azazeal added a commit to smallstep/singleflight that referenced this pull request May 20, 2026
@azazeal
Merge pull request #36 from smallstep/panos/workflows
bfecaf6 
gh: aligned workflow permissions with smallstep/workflows#324
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hslatman hslatman hslatman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@azazeal @hslatman