Skip to content

Add explicit permissions to GitHub workflows #2140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbroshi-stripe merged 1 commit into from
Jan 12, 2026
Merged

Add explicit permissions to GitHub workflows #2140

mbroshi-stripe merged 1 commit into from
Jan 12, 2026

Conversation

@mbroshi-stripe
Copy link
Contributor

@mbroshi-stripe mbroshi-stripe commented Jan 12, 2026

Why?

Fix code scanning alerts about unlimited permissions in GitHub workflows. By default, workflows have read/write access to all scopes, which is a security concern. This change applies the principle of least privilege.

What?

  • Added permissions: {} at workflow level to restrict default permissions
  • Added contents: read permission to each job that needs repository access
  • The publish-docs job retains contents: write as it needs to push to gh-pages
  • The rules workflow gets empty permissions as it only runs shell scripts

See Also

@mbroshi-stripe
Add explicit permissions to GitHub workflows
d0039c8 
Fix code scanning alert about unlimited permissions by applying the
principle of least privilege to all workflow jobs. Each job now has
only the permissions it actually needs:
- Build, test, publish, and compat jobs get contents: read
- publish-docs keeps contents: write (needs to push to gh-pages)
- rules workflow gets empty permissions (no repo access needed)

Committed-By-Agent: claude
@mbroshi-stripe mbroshi-stripe marked this pull request as ready for review January 12, 2026 20:20
@mbroshi-stripe mbroshi-stripe requested a review from a team as a code owner January 12, 2026 20:21
@mbroshi-stripe mbroshi-stripe requested review from prathmesh-stripe and removed request for a team January 12, 2026 20:21
@mbroshi-stripe mbroshi-stripe merged commit c5d0f0f into master Jan 12, 2026
14 checks passed
@mbroshi-stripe mbroshi-stripe deleted the mbroshi/add-permissions-to-workflows branch January 12, 2026 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prathmesh-stripe prathmesh-stripe prathmesh-stripe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbroshi-stripe @prathmesh-stripe