Add minimum token permissions for all GitHub workflow files #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft

Copilot wants to merge 2 commits into main from copilot/fix-20

Copilot AI commented Jul 12, 2025 •

edited

Loading

This PR adds minimum token permissions to all GitHub workflow files to improve security posture according to OpenSSF Scorecard recommendations, specifically addressing the Token-Permissions check.

Changes Made

Root-Level Permissions Added

Added permissions: contents: read to all workflows that only need basic read access
Maintained existing permissions: read-all for ossf-scorecard.yml (already compliant)
Applied proper formatting with blank lines above and below permissions blocks

Job-Level Permissions Added Where Needed

benchmarks.yml: Added contents: write (for gh-pages push) and pull-requests: write (for PR comments)
codeql-analysis.yml: Added security-events: write (for CodeQL results upload)
release.yml: Added contents: write (for GitHub releases)
prepare-release-branch.yml: Added pull-requests: write (for PR labels) to both jobs
prepare-patch-release.yml: Added pull-requests: write (for PR labels)

Template Updates

Updated all workflow templates (lint.yml.j2, test.yml.j2, misc.yml.j2) to include proper permissions
Regenerated workflow files from templates with updated permissions
Removed obsolete test_1.yml file that was no longer generated

Files Updated

Manual workflows: backport.yml, benchmarks.yml, changelog.yml, check-links.yml, codeql-analysis.yml, contrib.yml, prepare-patch-release.yml, prepare-release-branch.yml, release.yml
Generated workflows: lint_0.yml, test_0.yml, misc_0.yml
Templates: All template files in .github/workflows/templates/

Security Impact

Workflows using custom tokens (OPENTELEMETRYBOT_GITHUB_TOKEN) only receive basic read permissions
Job-level permissions are added only where GITHUB_TOKEN is explicitly used
All write permissions include trailing comments explaining their necessity
Follows principle of least privilege while maintaining functionality

Verification

All 14 workflow files now pass OpenSSF Scorecard Token-Permissions requirements. The changes are minimal and surgical, maintaining existing functionality while improving security posture.

Fixes #20.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.


          Initial plan

37f736a

Copilot AI assigned Copilot and trask

Copilot started work on behalf of trask

July 12, 2025 22:14


          Add minimum token permissions to all GitHub workflow files

5f906bf

Co-authored-by: trask <218610+trask@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add minimum token permissions for all github workflow files~~ Add minimum token permissions for all GitHub workflow files

Copilot AI requested a review from trask

July 12, 2025 22:29

Copilot finished work on behalf of trask

July 12, 2025 22:29

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet