Skip to content

ci: add least-privilege permissions to workflows#47

Merged
goastler merged 1 commit into
mainfrom
ci/harden-workflow-permissions
Jun 22, 2026
Merged

ci: add least-privilege permissions to workflows#47
goastler merged 1 commit into
mainfrom
ci/harden-workflow-permissions

Conversation

@goastler

Copy link
Copy Markdown
Member

Summary

All GitHub Actions workflows in this repo previously had no permissions: block, so each inherited the repository default GITHUB_TOKEN scope (potentially read/write-all).

This adds explicit least-privilege top-level permissions to all 6 workflows.

Details

Write operations (releases, PR creation, git push) in these workflows authenticate via PROSOPONATOR_PAT, not the built-in GITHUB_TOKEN. So the default token only needs:

  • contents: read — all workflows (for checkout)
  • actions: writecache.yml additionally, for cache save/cleanup

No write scope is required on the built-in token because the PAT carries auth for all push/release/PR steps.

Add explicit top-level permissions blocks to all GitHub Actions
workflows, which previously inherited the repository default token
scope. Write operations in these workflows use PROSOPONATOR_PAT, so the
built-in GITHUB_TOKEN only needs contents: read (plus actions: write in
cache.yml for cache management).
@netlify

netlify Bot commented Jun 22, 2026

Copy link
Copy Markdown

Deploy Preview for peaceful-pothos-9e62ce ready!

Name Link
🔨 Latest commit 0971585
🔍 Latest deploy log https://app.netlify.com/projects/peaceful-pothos-9e62ce/deploys/6a390b3516184e0008dbe7f5
😎 Deploy Preview https://deploy-preview-47--peaceful-pothos-9e62ce.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@goastler goastler merged commit b579868 into main Jun 22, 2026
4 checks passed
@goastler goastler deleted the ci/harden-workflow-permissions branch June 22, 2026 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant