ci: explicitly set required permissions on GitHub Actions Workflows by aaronfowles · Pull Request #303 · alphagov/govuk-knowledge-graph-search

aaronfowles · 2025-09-18T10:03:18Z

The workflows currently have unlimited read/write permissions. This change sets all permissions to contents:read unless explicitly required by a specific action. Both the actions/create-release@v1 and rickstaa/action-create-tag@v1 actions need to make changes to the repo for release. Docs showing required permissions for creating releases and tags: https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents This addresses https://github.com/alphagov/govuk-knowledge-graph-search/security/code-scanning/1.

JonathanHallam

Sweet, thanks :)

aaronfowles mentioned this pull request Sep 18, 2025

Merge main into production for deployment #302

Merged

aaronfowles requested a review from JonathanHallam September 22, 2025 08:39

aaronfowles marked this pull request as ready for review September 22, 2025 08:40

aaronfowles force-pushed the address_codeql_actions_permissions_issue branch from 9009f42 to 406994a Compare September 22, 2025 11:15

aaronfowles force-pushed the address_codeql_actions_permissions_issue branch from 406994a to 0d49d92 Compare September 22, 2025 14:51

JonathanHallam approved these changes Sep 22, 2025

View reviewed changes

aaronfowles merged commit 0be4362 into main Sep 22, 2025
7 checks passed

aaronfowles deleted the address_codeql_actions_permissions_issue branch September 22, 2025 15:20

Provide feedback