ci: move permissions to job level

[OM-JADHAV25]

Proposed change

Resolves #3104

This PR refines GitHub Actions permissions by moving contents: read from the
workflow level to the specific jobs that require it.

This follows the principle of least privilege and aligns with recent review
feedback to scope permissions more precisely. There are no functional or
behavioral changes to the CI/CD pipeline.

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran make check-test locally and all tests passed
• I used AI for code, documentation, or tests in this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Scoped workflow permissions to individual jobs instead of a global block.
  • Expanded per-job permissions where needed to align access.
  • Added timeouts across multiple CI jobs/steps to improve reliability and prevent hangs.
  • Clarified execution environments for select jobs and made minor workflow execution refinements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Moved workflow-level permissions: contents: read into per-job permissions across multiple GitHub Actions workflows, added or increased timeout-minutes on many jobs/steps, and made minor runs-on/outputs adjustments. No other orchestration logic changes.

Changes

Cohort / File(s)	Summary
CI/CD main workflow .github/workflows/run-ci-cd.yaml	Moved global permissions into per-job permissions entries (many jobs now explicitly include contents: read), added timeout-minutes to numerous jobs/steps (commonly 10), and adjusted runs-on/outputs for a few jobs (e.g., set-release-version, deployment jobs). No core orchestration logic changes.
Single-job workflows (moved permissions to job) .github/workflows/check-pr-issue.yaml, .github/workflows/label-issues.yaml, .github/workflows/label-pull-requests.yaml, .github/workflows/run-code-ql.yaml, .github/workflows/update-nest-test-images.yaml	Removed top-level permissions and added equivalent permissions blocks under the relevant job (scopes: contents: read, issues: write, pull-requests: write, etc.). No other step or logic modifications.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• arkid15r

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: move permissions to job level' accurately and concisely summarizes the main change of moving permissions from workflow to job level.
Description check	✅ Passed	The description clearly explains the proposed changes, references the linked issue #3104, and describes the motivation of least privilege and recent feedback.
Linked Issues check	✅ Passed	The PR successfully implements the objective from #3104 by moving contents: read and other permissions from workflow-level to job-level across multiple workflow files.
Out of Scope Changes check	✅ Passed	All changes in the PR are strictly focused on moving permissions from workflow-level to job-level scope across GitHub Actions workflow files, directly addressing the linked issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c41a4d9 and ea78212.

📒 Files selected for processing (5)

• .github/workflows/check-pr-issue.yaml
• .github/workflows/label-issues.yaml
• .github/workflows/label-pull-requests.yaml
• .github/workflows/run-code-ql.yaml
• .github/workflows/update-nest-test-images.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/label-pull-requests.yaml
• .github/workflows/check-pr-issue.yaml
• .github/workflows/update-nest-test-images.yaml
• .github/workflows/run-code-ql.yaml
• .github/workflows/label-issues.yaml

🔇 Additional comments (5)

.github/workflows/label-issues.yaml (1)

11-12: LGTM! Permission correctly scoped.

The job-level issues: write permission is precisely what's needed for the github.rest.issues.addLabels API call. Notably, contents: read is correctly omitted since this job performs no repository checkout or file access.

.github/workflows/update-nest-test-images.yaml (1)

15-16: LGTM! Permission correctly scoped.

The contents: read permission is required for the actions/checkout step on line 19. Read-only access is appropriate since the job only builds and pushes Docker images using external credentials, with no repository write operations.

.github/workflows/run-code-ql.yaml (1)

18-20: LGTM! Permissions correctly scoped.

The job-level permissions are appropriate:

• contents: read for the checkout step (line 29)
• security-events: write to upload CodeQL analysis results (line 56)

Both permissions align with CodeQL workflow requirements.

.github/workflows/check-pr-issue.yaml (1)

10-13: Permissions are correctly scoped and all are necessary.

The three permissions are confirmed to be required by the arkid15r/check-pr-issue-action:

• contents: read — required to read repository contents
• issues: read — required to access linked issue information and assignees
• pull-requests: write — required to close PRs and post comments

All permissions are properly specified in the workflow.

.github/workflows/label-pull-requests.yaml (1)

8-10: Permissions are correctly scoped.

The contents: read permission is required for actions/labeler to access the .github/labeler.yml configuration file through the GitHub API. The action reads this file without needing an explicit checkout step, relying instead on the implicit repository access provided by the pull_request_target event. The current permissions configuration (contents: read and pull-requests: write) matches the action's documented requirements.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arkid15r]

Make sure to update all workflows and do it right :)

Could you add the same changes (see my recent update) for all github workflows -- in other files too -- to keep it consistent?

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/run-ci-cd.yaml (1)

183-183: Docker build timeouts may be too tight for reliable builds.

The 10-minute timeout for build-staging-images and build-production-images may be insufficient. Docker multi-stage builds with GHA caching, layer caching cache-to: type=registry, and image push: true operations can exceed this duration under network latency or large image sizes. Consider increasing build job timeouts to 15–20 minutes or benchmarking actual build durations. Test job timeouts (10 min) are reasonable.

Also applies to: 217-217, 249-249, 383-383, 716-716

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca9fb1a and c41a4d9.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

🔇 Additional comments (3)

.github/workflows/run-ci-cd.yaml (3)

28-29: LGTM! Permissions correctly implement least privilege.

The addition of permissions: contents: read at the job level for all jobs that check out the repository correctly implements the principle of least privilege as stated in the PR objectives and addresses the SonarCloud security concern from issue #3104.

Also applies to: 63-64, 98-99, 115-116, 136-137, 156-157, 190-191, 224-225, 279-280, 389-390, 432-433, 548-549, 575-576, 616-617, 722-723, 769-770, 896-897

---

251-264: Correctly omits permissions for set-release-version job.

The set-release-version job correctly does not include a permissions block because it doesn't check out the repository—it only computes a version string from the release tag or commit SHA and sets job outputs.

---

595-601: Appropriate step-level timeout for Lighthouse CI.

The 15-minute step timeout for Lighthouse CI is reasonable for performance audits and prevents hanging test executions.

[OM-JADHAV25]

@arkid15r sure !!!,
I’ll make the same updates across all workflows for consistency.
I’ll need some additional time to review each workflow carefully, so an extension of the deadline would be really helpful.
Thanks!!

[arkid15r]

@arkid15r sure !!!, I’ll make the same updates across all workflows for consistency. I’ll need some additional time to review each workflow carefully, so an extension of the deadline would be really helpful. Thanks!!

You're good -- don't worry about the deadline. We use it to keep things in shape when people just abandon their work.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arkid15r]

LGTM