Skip to content

Add explicit permissions to CI workflow #1471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yugannkt wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add explicit permissions to CI workflow #1471

yugannkt wants to merge 1 commit into from
+19 −0

Conversation

@yugannkt
Copy link

@yugannkt yugannkt commented Dec 8, 2025
edited
Loading

Description

This PR adds explicit permissions to the CI workflow file (.github/workflows/CI.yml) to follow security best practices and the principle of least privilege.

Changes

  • Added workflow-level default permissions with contents: read as the minimum baseline
  • Added job-level permissions for each job with only the permissions they require:
    • build: contents: read, actions: write, security-events: write
      • Needs to checkout code, upload artifacts, and perform CodeQL security analysis
    • upload-event-file: contents: read, actions: write
      • Needs to upload the GitHub event file as an artifact
    • build-for-e2e-test: contents: read, actions: write
      • Needs to build and upload binary artifacts for different platforms
    • e2e-test: contents: read, actions: write, checks: write
      • Needs to download artifacts, upload test logs, and publish test results
    • publish: contents: write
      • Needs to create releases and commit release notes back to the repository

Fixes #1457

  • Did you write/update appropriate tests
  • Release notes updated (if appropriate)
  • Appropriate logging output
  • Issue linked
  • Docs updated (or issue created)
  • New package licenses are added to ThirdPartyNotices.txt (if applicable)

@yugannkt
Add explicit permissions to CI workflow
83f609a 
- Added workflow-level default permissions (contents: read)
- Added job-level permissions for all jobs following least privilege:
  - build: contents:read, actions:write, security-events:write
  - upload-event-file: contents:read, actions:write
  - build-for-e2e-test: contents:read, actions:write
  - e2e-test: contents:read, actions:write, checks:write
  - publish: contents:write

Fixes github#1457
@github-actions
Copy link

github-actions bot commented Dec 8, 2025

Unit Test Results

  1 files    1 suites   10m 25s ⏱️
960 tests 960 ✅ 0 💤 0 ❌
961 runs  961 ✅ 0 💤 0 ❌

Results for commit 83f609a.

@github-actions
Copy link

github-actions bot commented Dec 8, 2025

Code Coverage

Package Line Rate Branch Rate Complexity Health
ado2gh 72% 70% 712
Octoshift 83% 72% 1739
bbs2gh 83% 78% 663
gei 81% 72% 574
Summary 81% (7738 / 9604) 73% (1840 / 2521) 3688

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please define actions workflow permissions

1 participant

@yugannkt