Skip to content

ci(repo): add least-privilege permissions to GitHub Actions workflows#2798

Open
peter-matkovski wants to merge 9 commits into
masterfrom
ci/workflow-least-privilege-permissions
Open

ci(repo): add least-privilege permissions to GitHub Actions workflows#2798
peter-matkovski wants to merge 9 commits into
masterfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 24 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Summary by CodeRabbit

  • Chores
    • Updated several automation workflows to define explicit workflow-level permissions.
    • Most workflows now run with read-only access to repository contents and pull requests.
    • Where needed, one workflow retains write access to perform automation updates.

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6fcadb38-dbc4-4147-bb09-4c83a7a5f651

📥 Commits

Reviewing files that changed from the base of the PR and between 49c0821 and a6ac9fc.

📒 Files selected for processing (1)
  • .github/workflows/update_goldens.yml

📝 Walkthrough

Walkthrough

This PR adds top-level permissions blocks to eight GitHub Actions workflow files, explicitly scoping GITHUB_TOKEN access to read-only permissions in most cases and write access where required. No triggers, jobs, or steps were changed.

Changes

GitHub Actions permissions scoping

Layer / File(s) Summary
Add explicit permissions blocks
.github/workflows/beta_version_analyze.yml, .github/workflows/distribute_external.yml, .github/workflows/distribute_internal.yml, .github/workflows/legacy_version_analyze.yml, .github/workflows/pana.yml, .github/workflows/pr_title.yml, .github/workflows/stream_flutter_workflow.yml, .github/workflows/update_goldens.yml
Each workflow now declares top-level permissions restricting the GITHUB_TOKEN to contents: read, pull-requests: read, or actions: write as applicable; no other workflow logic changed.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding least-privilege permissions to GitHub Actions workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflow-least-privilege-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update_goldens.yml:
- Around line 16-19: The workflow-level permissions in update_goldens.yml are
too broad: remove the unnecessary actions: write grant from the permissions
block. Keep the workflow limited to the minimum needed access, since the
artifact upload steps in the job do not require it and the commit step uses
actions/checkout with ssh-key rather than a contents token.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b8e4af82-9cb6-42e8-80fc-3a7166b2ab27

📥 Commits

Reviewing files that changed from the base of the PR and between 3676bd2 and 49c0821.

📒 Files selected for processing (8)
  • .github/workflows/beta_version_analyze.yml
  • .github/workflows/distribute_external.yml
  • .github/workflows/distribute_internal.yml
  • .github/workflows/legacy_version_analyze.yml
  • .github/workflows/pana.yml
  • .github/workflows/pr_title.yml
  • .github/workflows/stream_flutter_workflow.yml
  • .github/workflows/update_goldens.yml

Comment thread .github/workflows/update_goldens.yml
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.03%. Comparing base (3676bd2) to head (a6ac9fc).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2798   +/-   ##
=======================================
  Coverage   71.03%   71.03%           
=======================================
  Files         429      429           
  Lines       26935    26935           
=======================================
  Hits        19133    19133           
  Misses       7802     7802           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@peter-matkovski peter-matkovski changed the title CI: add least-privilege permissions to GitHub Actions workflows ci(repo): add least-privilege permissions to GitHub Actions workflows Jul 8, 2026
@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants