Every single workflow file lacks an explicit permissions block. By default, GitHub Actions grants contents: read, metadata: read, and packages: read for pull_request events, but for push events to the default branch, workflows run with contents: read and metadata: read. Without explicit restrictions, any action in the pipeline could request elevated permissions if a compromised action is introduced. The codecov.yml workflow passes secrets.CODECOV_TOKEN and the rake.yml uses bundler-cache which has broader token access.
REPRODUCTION: Inspect any workflow — no permissions: key exists at the job or workflow level.
IMPACT: Elevated attack surface; compromised actions can request tokens/permissions beyond what is needed.
Every single workflow file lacks an explicit permissions block. By default, GitHub Actions grants contents: read, metadata: read, and packages: read for pull_request events, but for push events to the default branch, workflows run with contents: read and metadata: read. Without explicit restrictions, any action in the pipeline could request elevated permissions if a compromised action is introduced. The codecov.yml workflow passes secrets.CODECOV_TOKEN and the rake.yml uses bundler-cache which has broader token access.
REPRODUCTION: Inspect any workflow — no permissions: key exists at the job or workflow level.
IMPACT: Elevated attack surface; compromised actions can request tokens/permissions beyond what is needed.