Skip to content

Commit 35c6c4a

Browse files
turbomamclaude
andauthored
ci: set least-privilege workflow permissions (#555)
Add a top-level deny-all permissions block to qc.yml and codeql.yml, and grant the QC job only contents: read. qc.yml previously set no permissions, so it inherited the repository default token scope (code scanning alert #6, CWE-275). codeql.yml already scoped its job permissions; this adds the matching top-level default. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 80e6c12 commit 35c6c4a

2 files changed

Lines changed: 9 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ on:
99
- cron: '0 6 * * 1' # Monday 6am UTC
1010
workflow_dispatch:
1111

12+
# Deny all permissions by default; the analyze job grants the minimum it needs.
13+
permissions: {}
14+
1215
jobs:
1316
analyze:
1417
name: Analyze

.github/workflows/qc.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,19 @@ on:
1313
# Allows you to run this workflow manually from the Actions tab
1414
workflow_dispatch:
1515

16+
# Deny all permissions by default; grant the minimum needed at the job level.
17+
permissions: {}
18+
1619
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
1720
jobs:
1821
# This workflow contains a single job called "ontology_qc"
1922
ontology_qc:
2023
# The type of runner that the job will run on
2124
runs-on: ubuntu-latest
2225
container: obolibrary/odkfull:v1.6.1
26+
# Only needs to read the repository to check it out and run the QC make target.
27+
permissions:
28+
contents: read
2329

2430
# Steps represent a sequence of tasks that will be executed as part of the job
2531
steps:

0 commit comments

Comments
 (0)