Skip to content

Harden GitHub Actions token permissions across flagged workflows#5732

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/sec-check-fix-github-token-permissions
Draft

Harden GitHub Actions token permissions across flagged workflows#5732
Copilot wants to merge 2 commits into
mainfrom
copilot/sec-check-fix-github-token-permissions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jun 6, 2026
edited
Loading

📌 Fixes

📝 Summary of Changes

15 workflows were flagged for over-permissive or undeclared GITHUB_TOKEN permissions (all scoring 0 on Scorecard token-permissions). This PR applies a consistent least-privilege pattern: default workflow scope is read-only, with write access granted only at the specific job requiring it.

  • Workflow baseline hardening
    • Added top-level permissions: read-all to all in-scope workflows from the issue.
  • Write-scope isolation
    • Moved workflow-level write permissions down to the exact job(s) that need them (actions, checks, contents, issues, pull-requests, statuses, id-token, security-events where applicable).
  • Scorecard workflow alignment
    • Scoped security-events: write to the analysis job (SARIF upload path) instead of workflow-wide.
  • Locked workflow handling
    • Added top-level permissions: read-all in technical-doc-writer.lock.yml while preserving required job-level contents: write grants.
permissions: read-all

jobs:
  analysis:
    permissions:
      security-events: write
      id-token: write

Changes Made

  • Updated permissions model in affected .github/workflows/*.yml files to use top-level read-all.
  • Refactored permission scopes from workflow-level to job-level write access only where required.
  • Fixed Scorecard and technical-doc-writer lockfile permission scoping per security finding requirements.
  • Added tests for these changes (not applicable; workflow permission hardening only).

Checklist

Please ensure the following before submitting your PR:

  • I have reviewed the project's contribution guidelines.
  • I have written unit tests for the changes (if applicable).
  • I have updated the documentation (if applicable).
  • I have tested the changes locally and ensured they work as expected.

Screenshots or Logs (if applicable)

N/A (workflow YAML permission-scope changes only).

👀 Reviewer Notes

  • copilot-dco.yml and markdownlint-cli2.yml were intentionally not modified per issue instructions.
  • No trigger, job logic, or execution flow was changed; only token permission scope declarations were adjusted.

@kubestellar-prow kubestellar-prow Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: no Indicates the PR's author has not signed the DCO. labels Jun 6, 2026
Copilot AI linked an issue Jun 6, 2026 that may be closed by this pull request
[sec-check] HIGH: 15 over-permissive GITHUB_TOKEN workflows in kubestellar/docs (all score 0) #5731
Open
@netlify
Copy link
Copy Markdown

netlify Bot commented Jun 6, 2026
edited
Loading

Deploy Preview for kubestellar-docs ready!

Name Link
🔨 Latest commit ae84344
🔍 Latest deploy log https://app.netlify.com/projects/kubestellar-docs/deploys/6a242f5fa9b3bc0008a47612
😎 Deploy Preview https://deploy-preview-5732--kubestellar-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@kubestellar-prow kubestellar-prow Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 6, 2026
@kubestellar-prow
Copy link
Copy Markdown

kubestellar-prow Bot commented Jun 6, 2026

Hi @Copilot. Thanks for your PR.

I'm waiting for a kubestellar member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubestellar-prow kubestellar-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 6, 2026
@kubestellar-prow
Copy link
Copy Markdown

kubestellar-prow Bot commented Jun 6, 2026

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

  • b8b2887 Initial plan
  • ae84344 Harden workflow token permissions with read-all defaults
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kubestellar-prow
Copy link
Copy Markdown

kubestellar-prow Bot commented Jun 6, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from clubanderson. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubestellar-prow kubestellar-prow Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 6, 2026
Copilot AI changed the title [WIP] Fix over-permissive GITHUB_TOKEN permissions in workflows Harden GitHub Actions token permissions across flagged workflows Jun 6, 2026
Copilot AI requested a review from clubanderson June 6, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clubanderson clubanderson Awaiting requested review from clubanderson

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@clubanderson clubanderson

Copilot code review Copilot

Labels

dco-signoff: no Indicates the PR's author has not signed the DCO. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[sec-check] HIGH: 15 over-permissive GITHUB_TOKEN workflows in kubestellar/docs (all score 0)

2 participants

@clubanderson