Skip to content

chore: added permissions to workflows to least possible permission [SPA-3604][ACT-2077] #1390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Ollie-H merged 6 commits into from
Jan 8, 2026
Merged

chore: added permissions to workflows to least possible permission [SPA-3604][ACT-2077] #1390

Ollie-H merged 6 commits into from
Jan 8, 2026

Conversation

@Ollie-H
Copy link
Contributor

@Ollie-H Ollie-H commented Jan 7, 2026
edited
Loading

Purpose

  • Adds explicit permissions to all GitHub Actions workflows following the principle of least privilege, ensuring each workflow only has the minimum required access.

More info on changes in doc: https://contentful.atlassian.net/wiki/spaces/SRT/blog/2025/12/01/6020300812/Securing+GitHub+actions+and+workflows+priority+for+public+repositories

Ticket: https://contentful.atlassian.net/browse/SPA-3604
https://contentful.atlassian.net/browse/ACT-2077

@Ollie-H Ollie-H self-assigned this Jan 7, 2026
@Ollie-H Ollie-H requested a review from a team as a code owner January 7, 2026 14:05
@Ollie-H Ollie-H requested review from SofiaMargariti and kizer-cf and removed request for a team January 7, 2026 14:05
@vercel
Copy link

vercel bot commented Jan 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
nextjs-marketing-demo-bug-test Ready Ready Preview Jan 7, 2026 3:07pm
3 Skipped Deployments
Project Deployment Review Updated (UTC)
experience-builder-test-app Ignored Ignored Jan 7, 2026 3:07pm
studio-nextjs-marketing-demo Ignored Ignored Jan 7, 2026 3:07pm
studio-react-vite-template Ignored Ignored Jan 7, 2026 3:07pm

@wiz-inc-38d59fb8d7
Copy link

wiz-inc-38d59fb8d7 bot commented Jan 7, 2026
edited
Loading

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities 1 Medium
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations 10 Info
SAST Finding SAST Findings -
Software Supply Chain Finding Software Supply Chain Findings -
Total 1 Medium 10 Info

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

@Ollie-H Ollie-H changed the title chore: added permissions to workflows to least possible permission [SPA-3604] chore: added permissions to workflows to least possible permission [SPA-3604][ACT-2077] Jan 7, 2026
anwaar931
anwaar931 approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@anwaar931 anwaar931 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Chaoste
Chaoste approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@Chaoste Chaoste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this. The permissions look correct to me

.github/workflows/main.yml
Comment on lines +38 to +41
permissions:
contents: write # Checkout with full history
id-token: write # OIDC token for authentication
actions: read # Restore cache
Copy link
Contributor

@Chaoste Chaoste Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was under the assumption that a workflow inherits its permission from its parent. Since this one only has "contents: read" permission, is it possible to allow these jobs here to get more permissions?

Copy link
Contributor Author

@Ollie-H Ollie-H Jan 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it from the docs, the job elevates permissions relative to the workflow baseline, which wouldn’t normally be allowed. However, here it is allowed because it happens in the caller workflow (here /vercel.yaml), so it doesn’t increase permissions within the same workflow.

@Ollie-H Ollie-H merged commit 79daec0 into development Jan 8, 2026
21 of 22 checks passed
@Ollie-H Ollie-H deleted the chore/SPA-3604-explicit-github-token-permissions branch January 8, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Spring3 Spring3 Spring3 approved these changes

@anwaar931 anwaar931 anwaar931 approved these changes

@Chaoste Chaoste Chaoste approved these changes

@SofiaMargariti SofiaMargariti Awaiting requested review from SofiaMargariti SofiaMargariti is a code owner automatically assigned from contentful/team-sparks

@kizer-cf kizer-cf Awaiting requested review from kizer-cf kizer-cf is a code owner automatically assigned from contentful/team-sparks

Assignees

@Ollie-H Ollie-H

Labels

configuration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Ollie-H @Spring3 @anwaar931 @Chaoste