Skip to content

Add explicit read-only permissions to GitHub Actions workflows #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add explicit read-only permissions to GitHub Actions workflows #139

wants to merge 3 commits into from
+4 −0

Conversation

Copy link

Copilot AI commented Oct 29, 2025
edited
Loading

Add permissions: contents: read to workflow files to follow the principle of least privilege for GitHub Actions security.

Changes

  • .github/workflows/nodejs.yml: Added explicit read-only contents permission
  • .github/workflows/publish.yml: Added explicit read-only contents permission

This restricts workflows to read-only access unless additional permissions are explicitly granted, reducing the attack surface if workflow tokens are compromised.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Apply code changes to index.js file Add explicit read-only permissions to GitHub Actions workflows Oct 29, 2025
Copilot finished work on behalf of cinderellasecure October 29, 2025 19:04
@cinderellasecure cinderellasecure marked this pull request as ready for review November 4, 2025 21:48
@cinderellasecure cinderellasecure requested a review from a team as a code owner November 4, 2025 21:48
Copilot AI review requested due to automatic review settings November 4, 2025 21:49
Copilot AI reviewed Nov 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds permissions restrictions to GitHub Actions workflows by setting contents: read as the default permission level. This follows the principle of least privilege, ensuring that workflows only have the minimum permissions necessary to execute their tasks.

Key Changes:

  • Added explicit permissions configuration to workflow files
  • Set contents: read as the baseline permission for all workflows

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/publish.yml Added permissions block with contents: read to restrict default workflow permissions
.github/workflows/nodejs.yml Added permissions block with contents: read to restrict default workflow permissions

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llastflowers llastflowers llastflowers approved these changes

@cinderellasecure cinderellasecure Awaiting requested review from cinderellasecure

Assignees

@cinderellasecure cinderellasecure

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@llastflowers @cinderellasecure