Skip to content

Comments

Harden GitHub Actions Workflow Permissions#334

Merged
begonaguereca merged 4 commits intomainfrom
begonaguereca-patch-1
Jun 11, 2025
Merged

Harden GitHub Actions Workflow Permissions#334
begonaguereca merged 4 commits intomainfrom
begonaguereca-patch-1

Conversation

@begonaguereca
Copy link
Collaborator

What's changing?

This PR updates the CI workflow to explicitly define permissions in accordance with GitHub security best practices and to resolve the actions/missing-workflow-permissions CodeQL alert.

  • Added top-level permissions: contents: read to enforce least-privilege by default.
  • Scoped contents: write to the publish job only (required for release creation).
  • Preserved checks: write and pull-requests: write permissions for the unit-test job to support publishing test results.

How's this tested?

Closes https://github.com/github/gh-actions-importer/security/code-scanning/3

Copilot AI review requested due to automatic review settings June 10, 2025 16:26
@begonaguereca begonaguereca requested a review from a team as a code owner June 10, 2025 16:26
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR tightens workflow security by explicitly setting least-privilege permissions and scoping write access only where needed.

  • Adds a top-level permissions: contents: read to enforce default read-only access.
  • Grants contents: write specifically to the publish job.

@github-actions
Copy link

github-actions bot commented Jun 10, 2025

Unit Test Results

42 tests  ±0   42 ✅ ±0   0s ⏱️ ±0s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 41dfffd. ± Comparison against base commit 6f6c943.

♻️ This comment has been updated with latest results.

@offbyone
Copy link

Based on the CI errors, there are dotnet version issues with the existing tools. I seem to recall we may have had a platform upgrade to dotnet recently, based on a PR in gh-gei. Is that related to the CI issues here?

@begonaguereca
Copy link
Collaborator Author

@offbyone ya we will need to tackle the dotnet upgrade next, fixed our CI issues here: #335

CI is green after more than a year!

@begonaguereca begonaguereca merged commit 6f7dffe into main Jun 11, 2025
8 checks passed
@begonaguereca begonaguereca deleted the begonaguereca-patch-1 branch June 11, 2025 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants