Skip to content

fix: add explicit permissions to workflow files#59

Merged
0x46616c6b merged 1 commit intomainfrom
fix/add-workflow-permissions
Apr 7, 2026
Merged

fix: add explicit permissions to workflow files#59
0x46616c6b merged 1 commit intomainfrom
fix/add-workflow-permissions

Conversation

@0x46616c6b
Copy link
Copy Markdown
Contributor

@0x46616c6b 0x46616c6b commented Apr 7, 2026

Type of Change

  • Bugfix
  • Enhancement / new feature
  • Refactoring
  • Documentation

Description

Add explicit permissions blocks to all three GitHub Actions workflow files to resolve open code scanning alerts (actions/missing-workflow-permissions, alerts #3, #12, #14).

Without an explicit permissions block, workflows inherit the default repository token permissions, which may be overly broad. This change follows the principle of least privilege by declaring only the minimum permissions each workflow needs:

Workflow Permissions Rationale
release.yml contents: write Release drafter needs write access to create/update draft releases
auto-merge.yml contents: read Minimal read-only — actual merge operations use the GitHub App token
cla.yml contents: write, pull-requests: write, actions: read CLA Assistant needs to push to the signatures branch, comment on PRs, and read workflow context

Checklist

  • Write tests
  • Make sure all tests pass
  • Update documentation
  • Review the Contributing Guideline and sign CLA
  • Reference relevant issue(s) and close them after merging

The changes and the PR were generated by OpenCode.

@0x46616c6b
fix: add explicit permissions to workflow files
4813289 
Add minimal permissions blocks to all three workflow files to resolve
code scanning alerts for missing-workflow-permissions (alerts #3, #12, #14).

This follows the principle of least privilege by explicitly declaring
only the permissions each workflow needs rather than inheriting the
default (potentially overly broad) token permissions.

- release.yml: contents: write (create/update draft releases)
- auto-merge.yml: contents: read (App token handles merge operations)
- cla.yml: contents: write, pull-requests: write, actions: read

Co-Authored-By: OpenCode <noreply@opencode.ai>
@0x46616c6b 0x46616c6b marked this pull request as ready for review April 7, 2026 12:24
@0x46616c6b 0x46616c6b requested a review from a team as a code owner April 7, 2026 12:24
@0x46616c6b 0x46616c6b merged commit c6e5805 into main Apr 7, 2026
10 checks passed
@0x46616c6b 0x46616c6b deleted the fix/add-workflow-permissions branch April 7, 2026 12:25
@github-actions github-actions bot locked and limited conversation to collaborators Apr 7, 2026
@0x46616c6b 0x46616c6b added the bug Something isn't working label Apr 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@weizenspreu weizenspreu Awaiting requested review from weizenspreu weizenspreu is a code owner automatically assigned from Staffbase/civilization

@timdittler timdittler Awaiting requested review from timdittler timdittler is a code owner automatically assigned from Staffbase/civilization

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0x46616c6b