Skip to content

fix: scope workflow token permissions to job level for Scorecard#42

Merged
SebTardif merged 2 commits into
mainfrom
fix/scorecard-token-permissions
May 26, 2026
Merged

fix: scope workflow token permissions to job level for Scorecard#42
SebTardif merged 2 commits into
mainfrom
fix/scorecard-token-permissions

Conversation

@SebTardif

@SebTardif SebTardif commented May 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Moves write permissions from workflow-level to job-level in 4 workflows
to satisfy OpenSSF Scorecard Token-Permissions checks.

What changed

Workflow Before (top-level) After (top-level / job-level)
backport.yaml contents: write, pull-requests: write contents: read / write at backport job
dependabot-auto-merge.yaml contents: write, pull-requests: write contents: read / write at auto-merge job
security.yaml security-events: write contents: read / write at codeql job only
release.yaml contents: write, packages: write, id-token: write contents: read / write at release and helm-release jobs

The provenance and container-provenance jobs in release.yaml already
had job-level permissions and are unchanged.

Why

Scorecard Token-Permissions penalizes workflows with top-level write
permissions because a compromised or malicious step in any job inherits
those permissions. Job-level scoping ensures each job gets only the
access it actually needs.

Resolves Scorecard alerts #2, #3, #4, #5, #12.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 26, 2026
View reviewed changes
Comment thread internal/controller/prometheus.go Fixed
Comment thread internal/controller/prometheus.go Fixed
@SebTardif SebTardif mentioned this pull request May 26, 2026
Merged
SebTardif added 2 commits May 26, 2026 10:00
@SebTardif
fix: move write permissions from workflow-level to job-level
f42e7b6 
OpenSSF Scorecard Token-Permissions check flags top-level write
permissions as overly broad. Move write grants to the specific
jobs that need them, keeping workflow-level at contents: read.

Fixes Scorecard alerts #2, #3, #4, #5, #12.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif
fix: pin mkdocs-material version, scope docs.yaml permissions, annota…
435f8fe 
…te cache key hashing

- Pin mkdocs-material==9.7.6 in docs.yaml and ci.yaml (Scorecard
  Pinned-Dependencies alert #1)
- Move pages/id-token write permissions to deploy job in docs.yaml
- Add nolint annotations on SHA256 cache key derivation (not password
  storage); CodeQL alerts #10 and #11 dismissed as false positives

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif SebTardif force-pushed the fix/scorecard-token-permissions branch from be9c8cf to 435f8fe Compare May 26, 2026 17:06
@SebTardif SebTardif enabled auto-merge (squash) May 26, 2026 17:08
@SebTardif SebTardif merged commit 5251468 into main May 26, 2026
25 checks passed
@github-actions github-actions Bot mentioned this pull request May 27, 2026
Merged
@SebTardif SebTardif deleted the fix/scorecard-token-permissions branch June 21, 2026 02:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SebTardif @github-advanced-security