Skip to content

ci(workflows): assign explicit permissions #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2025
Merged

ci(workflows): assign explicit permissions #335

merged 2 commits into from
Oct 17, 2025

Conversation

caugner
Copy link
Contributor

@caugner caugner commented Oct 16, 2025

Description

Adds explicit permissions: configuration to workflow files that don't already have permissions defined either at the workflow level or for all jobs.

  • If the workflow doesn't use secrets.GITHUB_TOKEN or github.token, sets permissions: {} to restrict all permissions.
  • If the workflow uses the GitHub token, adds permissions: with required permissions.

Motivation

Security best practice to explicitly declare GITHUB_TOKEN permissions instead of relying on default permissions, following the principle of least privilege by ensuring workflows only have the permissions they actually need.

Additional details

See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Related issues and pull requests

Part of mdn/fred#924.

@caugner caugner requested review from a team and LeoMcA and removed request for a team October 16, 2025 14:57
caugner
caugner commented Oct 16, 2025
View reviewed changes
@caugner caugner marked this pull request as ready for review October 16, 2025 16:03
@caugner caugner requested a review from a team as a code owner October 16, 2025 16:03
@LeoMcA LeoMcA merged commit 00c7f23 into main Oct 17, 2025
4 checks passed
@LeoMcA LeoMcA deleted the workflow-permissions branch October 17, 2025 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LeoMcA LeoMcA LeoMcA approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caugner @LeoMcA