Skip to content

All 10 GitHub Actions workflows missing permissions block #587

Description

@sdghsdkjlas27-dotcom

Every single workflow file lacks an explicit permissions block. By default, GitHub Actions grants contents: read, metadata: read, and packages: read for pull_request events, but for push events to the default branch, workflows run with contents: read and metadata: read. Without explicit restrictions, any action in the pipeline could request elevated permissions if a compromised action is introduced. The codecov.yml workflow passes secrets.CODECOV_TOKEN and the rake.yml uses bundler-cache which has broader token access.

REPRODUCTION: Inspect any workflow — no permissions: key exists at the job or workflow level.

IMPACT: Elevated attack surface; compromised actions can request tokens/permissions beyond what is needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions