Skip to content

Add explicit permissions to GitHub workflows #1764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbroshi-stripe merged 1 commit into from
Jan 12, 2026
Merged

Add explicit permissions to GitHub workflows #1764

mbroshi-stripe merged 1 commit into from
Jan 12, 2026
+10 −0

Conversation

@mbroshi-stripe
Copy link
Contributor

@mbroshi-stripe mbroshi-stripe commented Jan 12, 2026

Why?

Fix code scanning alerts about unlimited permissions in GitHub workflows. By default, workflows have read/write access to all scopes, which is a security concern. This change applies the principle of least privilege.

What?

  • Added permissions: {} at workflow level to restrict default permissions
  • Added contents: read permission to each job that needs repository access
  • The rules workflow gets empty permissions as it only runs shell scripts

See Also

@mbroshi-stripe
Add explicit permissions to GitHub workflows
6040be3 
Fix code scanning alert about unlimited permissions by applying the
principle of least privilege to all workflow jobs. Each job now has
only the permissions it actually needs (contents: read for checkout
and build operations). The rules workflow gets empty permissions as
it only runs shell scripts without needing repository access.

Committed-By-Agent: claude
@mbroshi-stripe mbroshi-stripe marked this pull request as ready for review January 12, 2026 20:21
@mbroshi-stripe mbroshi-stripe requested a review from a team as a code owner January 12, 2026 20:21
@mbroshi-stripe mbroshi-stripe requested review from jar-stripe and removed request for a team January 12, 2026 20:21
jar-stripe
jar-stripe reviewed Jan 12, 2026
View reviewed changes
@mbroshi-stripe mbroshi-stripe merged commit 24ed552 into master Jan 12, 2026
15 checks passed
@mbroshi-stripe mbroshi-stripe deleted the mbroshi/add-permissions-to-workflows branch January 12, 2026 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jar-stripe jar-stripe jar-stripe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbroshi-stripe @jar-stripe