Skip to content

[github] Improve workflow permissions#20171

Open
gregnazario wants to merge 2 commits into
mainfrom
improve-workflow-permissions
Open

[github] Improve workflow permissions#20171
gregnazario wants to merge 2 commits into
mainfrom
improve-workflow-permissions

Conversation

@gregnazario

Copy link
Copy Markdown
Contributor

Description

Cleans up some workflow permissions to be explicit

How Has This Been Tested?

Key Areas to Review

Type of Change

  • New feature
  • Bug fix
  • Breaking change
  • Performance improvement
  • Refactoring
  • Dependency update
  • Documentation update
  • Tests

Which Components or Systems Does This Change Impact?

  • Validator Node
  • Full Node (API, Indexer, etc.)
  • Move/Aptos Virtual Machine
  • Aptos Framework
  • Aptos CLI/SDK
  • Developer Infrastructure
  • Move Compiler
  • Other (specify)

Checklist

  • I have read and followed the CONTRIBUTING doc
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I identified and added all stakeholders and component owners affected by this change as reviewers
  • I tested both happy and unhappy path of the functionality
  • I have made corresponding changes to the documentation

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes GitHub Actions workflow GITHUB_TOKEN permissions explicit across a set of CI/release workflows, aligning them with least-privilege defaults (e.g., contents: read) while granting additional scopes only where required (e.g., id-token: write for OIDC auth, pull-requests: write for PR commenting, actions: write for workflow dispatch).

Changes:

  • Add explicit workflow-level permissions to many workflows, mostly setting contents: read.
  • Grant id-token: write where workflows authenticate to cloud providers via OIDC.
  • Grant additional write scopes where required (e.g., pull-requests: write for sticky PR comments; actions: write to dispatch another workflow; contents/pull-requests: write for release automation).

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/workflow-run-replay-verify.yaml Add explicit contents: read workflow token permissions.
.github/workflows/workflow-run-replay-verify-on-archive.yaml Add contents: read and id-token: write for OIDC-authenticated operations.
.github/workflows/workflow-run-replay-verify-archive-storage-provision.yaml Add contents: read and id-token: write for OIDC-authenticated operations.
.github/workflows/workflow-run-module-verify.yaml Add explicit contents: read workflow token permissions.
.github/workflows/workflow-run-forge.yaml Add contents: read, id-token: write, pull-requests: write to support OIDC and PR commenting.
.github/workflows/workflow-run-execution-performance.yaml Add explicit contents: read workflow token permissions.
.github/workflows/windows-build.yaml Add explicit contents: read workflow token permissions.
.github/workflows/trigger-release-branch-validation.yaml Add contents: read and actions: write to allow createWorkflowDispatch.
.github/workflows/terraform-freeze.yaml Add explicit contents: read workflow token permissions.
.github/workflows/semgrep.yaml Add explicit contents: read workflow token permissions.
.github/workflows/run-gas-calibration.yaml Add explicit contents: read workflow token permissions.
.github/workflows/run-fullnode-sync.yaml Add explicit contents: read workflow token permissions.
.github/workflows/prover-daily-test.yaml Add explicit contents: read workflow token permissions.
.github/workflows/node-api-compatibility-tests.yaml Add explicit contents: read workflow token permissions.
.github/workflows/module-verify.yaml Add explicit contents: read workflow token permissions.
.github/workflows/lint-test.yaml Add explicit contents: read workflow token permissions.
.github/workflows/indexer-protos-sdk-update.yaml Add explicit contents: read workflow token permissions.
.github/workflows/find-packages-with-undeclared-feature-dependencies.yaml Add explicit contents: read workflow token permissions.
.github/workflows/faucet-tests-main.yaml Add contents: read and id-token: write for OIDC-dependent docker/cloud setup.
.github/workflows/execution-performance.yaml Add explicit contents: read workflow token permissions.
.github/workflows/coverage.yaml Add explicit contents: read workflow token permissions.
.github/workflows/coverage-move-only.yaml Add explicit contents: read workflow token permissions.
.github/workflows/codeql-analysis.yaml Add workflow default contents: read (job already sets security-events: write).
.github/workflows/cli-release.yaml Add workflow default contents: read (release job already has elevated job-level permissions).
.github/workflows/cli-external-deps.yaml Add explicit contents: read workflow token permissions.
.github/workflows/cli-e2e-tests.yaml Add explicit contents: read workflow token permissions.
.github/workflows/check-minimum-revision.yaml Add explicit contents: read workflow token permissions.
.github/workflows/binary-release.yaml Add workflow default contents: read (release job already has elevated job-level permissions).
.github/workflows/aptos-node-release.yaml Add explicit contents: write + pull-requests: write for automated version bump PR creation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aptos Security Bugbot has reviewed your changes and found 2 potential issues.

Open in Web View Automation 

Sent by Cursor Automation: Security Review Bot

Comment on lines +147 to +149
permissions:
contents: read
id-token: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High: This reusable workflow is called from docker-build-test.yaml, which runs on pull_request_target after a maintainer gate and checks out the PR head SHA. Granting id-token: write here means the same job can mint GCP credentials before it runs testsuite/run_forge.sh from that checked-out ref, and this workflow later exports CLOUDSDK_AUTH_ACCESS_TOKEN into subsequent steps. A fork PR can therefore turn a maintainer-triggered Forge run into cloud-authenticated code execution.

Comment on lines +44 to +46
permissions:
contents: read
id-token: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium: This reusable workflow is invoked from the maintainer-gated pull_request_target docker pipeline with GIT_SHA set to the PR head. Granting id-token: write to the whole job means the later ./.github/actions/run-faucet-tests composite action runs attacker-controlled PR code with OIDC token minting available, so a fork PR can obtain cloud identity on a maintainer-triggered test run.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's the usual issue with run approval?

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aptos Security Bugbot has reviewed your changes, there are still 2 issues that need to be addressed from previous scan.

Open findings:

Open in Web View Automation 

Sent by Cursor Automation: Security Review Bot

@gregnazario gregnazario force-pushed the improve-workflow-permissions branch from 1214d1f to ef759c8 Compare July 13, 2026 19:15

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aptos Security Bugbot has reviewed your changes, there are still 2 issues that need to be addressed from previous scan.

Open findings:

Open in Web View Automation 

Sent by Cursor Automation: Security Review Bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants