[github] Improve workflow permissions#20171
Conversation
There was a problem hiding this comment.
Pull request overview
This PR makes GitHub Actions workflow GITHUB_TOKEN permissions explicit across a set of CI/release workflows, aligning them with least-privilege defaults (e.g., contents: read) while granting additional scopes only where required (e.g., id-token: write for OIDC auth, pull-requests: write for PR commenting, actions: write for workflow dispatch).
Changes:
- Add explicit workflow-level
permissionsto many workflows, mostly settingcontents: read. - Grant
id-token: writewhere workflows authenticate to cloud providers via OIDC. - Grant additional write scopes where required (e.g.,
pull-requests: writefor sticky PR comments;actions: writeto dispatch another workflow;contents/pull-requests: writefor release automation).
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/workflow-run-replay-verify.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/workflow-run-replay-verify-on-archive.yaml | Add contents: read and id-token: write for OIDC-authenticated operations. |
| .github/workflows/workflow-run-replay-verify-archive-storage-provision.yaml | Add contents: read and id-token: write for OIDC-authenticated operations. |
| .github/workflows/workflow-run-module-verify.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/workflow-run-forge.yaml | Add contents: read, id-token: write, pull-requests: write to support OIDC and PR commenting. |
| .github/workflows/workflow-run-execution-performance.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/windows-build.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/trigger-release-branch-validation.yaml | Add contents: read and actions: write to allow createWorkflowDispatch. |
| .github/workflows/terraform-freeze.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/semgrep.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/run-gas-calibration.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/run-fullnode-sync.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/prover-daily-test.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/node-api-compatibility-tests.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/module-verify.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/lint-test.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/indexer-protos-sdk-update.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/find-packages-with-undeclared-feature-dependencies.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/faucet-tests-main.yaml | Add contents: read and id-token: write for OIDC-dependent docker/cloud setup. |
| .github/workflows/execution-performance.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/coverage.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/coverage-move-only.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/codeql-analysis.yaml | Add workflow default contents: read (job already sets security-events: write). |
| .github/workflows/cli-release.yaml | Add workflow default contents: read (release job already has elevated job-level permissions). |
| .github/workflows/cli-external-deps.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/cli-e2e-tests.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/check-minimum-revision.yaml | Add explicit contents: read workflow token permissions. |
| .github/workflows/binary-release.yaml | Add workflow default contents: read (release job already has elevated job-level permissions). |
| .github/workflows/aptos-node-release.yaml | Add explicit contents: write + pull-requests: write for automated version bump PR creation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| id-token: write |
There was a problem hiding this comment.
High: This reusable workflow is called from docker-build-test.yaml, which runs on pull_request_target after a maintainer gate and checks out the PR head SHA. Granting id-token: write here means the same job can mint GCP credentials before it runs testsuite/run_forge.sh from that checked-out ref, and this workflow later exports CLOUDSDK_AUTH_ACCESS_TOKEN into subsequent steps. A fork PR can therefore turn a maintainer-triggered Forge run into cloud-authenticated code execution.
| permissions: | ||
| contents: read | ||
| id-token: write |
There was a problem hiding this comment.
Medium: This reusable workflow is invoked from the maintainer-gated pull_request_target docker pipeline with GIT_SHA set to the PR head. Granting id-token: write to the whole job means the later ./.github/actions/run-faucet-tests composite action runs attacker-controlled PR code with OIDC token minting available, so a fork PR can obtain cloud identity on a maintainer-triggered test run.
There was a problem hiding this comment.
it's the usual issue with run approval?
1214d1f to
ef759c8
Compare


Description
Cleans up some workflow permissions to be explicit
How Has This Been Tested?
Key Areas to Review
Type of Change
Which Components or Systems Does This Change Impact?
Checklist