Skip to content

Scope workflow GITHUB_TOKEN permissions per job#60

Merged
djacu merged 2 commits into
mainfrom
harden/scope-permissions
Jul 6, 2026
Merged

Scope workflow GITHUB_TOKEN permissions per job#60
djacu merged 2 commits into
mainfrom
harden/scope-permissions

Conversation

@djacu

@djacu djacu commented Jul 6, 2026

Copy link
Copy Markdown
Member

What

Scopes the GITHUB_TOKEN permissions across the workflows — the last of the zizmor findings.

  • check.yml: read-allcontents: read (the two jobs needing more already declare their own blocks).
  • release-guide.yml: top-level contents: write{}, granted per job:
    • releasecontents: write (gh release create)
    • checkcontents: read
    • release-npm-packageid-token: write + contents: read (npm OIDC)
    • deploycontents: write + statuses: write + deployments: write (Netlify commit-comment / commit-status / GitHub-deployment integrations)
  • netlify-deploy.yml: explicit permissions block matching those integrations, so it is scoped on both the release and manual (workflow_dispatch) paths.

Why

The workflow-wide contents: write and read-all gave every job more access than it needs. A reusable workflow's token is set by the caller and can only be reduced, so each calling job now grants exactly its callee's need — notably id-token: write for the npm OIDC publish must sit on the calling job (reuse-workflows docs).

The Netlify deploy keeps its three GitHub integrations (commit comment, commit status, and a production deployment record — all pointing at brand.nixos.org), so its job retains contents/statuses/deployments: write, now scoped to that one job instead of the whole workflow.

Verification

  • actionlint: clean
  • zizmor: 0 findings. This clears the excessive-permissions set; earlier PRs cleared unpinned-uses, template-injection, artipacked, and superfluous-actions.

Not verified

Permissions only take effect at runtime on privileged events — an actual tag-push release and a manual Netlify deploy — which can't be exercised locally. On the next release, watch the npm OIDC publish (id-token: write on the calling job) and the Netlify integrations (contents/statuses/deployments: write).

djacu added 2 commits July 6, 2026 08:04
Replace permissions: read-all with the minimal contents: read. The three
jobs that inherit the top-level default (format, build-the-world,
branding-guide-changelog) only need to read the repo; the two jobs that
need more (compare-artifacts-build, compare-artifacts-comment) already
declare their own permissions blocks. Clears a zizmor excessive-permissions
finding.
Drop the workflow-wide contents: write in release-guide.yml (top-level
permissions: {}) and grant the minimum per job: release gets contents: write
for gh release create; the reusable-workflow callers grant the ceiling their
callees need -- check (contents: read), release-npm-package (id-token: write
for OIDC + contents: read), and deploy (contents/statuses/deployments: write
for the Netlify commit-comment, commit-status, and GitHub-deployment
integrations). Add the matching permissions block to netlify-deploy.yml so it
is explicit on both the release and manual paths.

Per GitHub's model a reusable workflow's token is set by the caller and can
only be reduced, so id-token: write must sit on the calling job. Clears the
remaining zizmor excessive-permissions findings.
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Artifact comparison

0 modified · 0 added · 0 deleted · 96 unchanged

Download report — HTML file; open in a browser.

Compared
  • Base: b873be3f167279d05e7cc007ff7b37c88d87c233 (current main tip when this ran)
  • After: 7fbfb84f17349e0c0bf6694ca5deb55d8edaddf6 (merge commit; falls back to PR head if unmergeable)

@djacu djacu merged commit 2380abd into main Jul 6, 2026
5 checks passed
@djacu djacu deleted the harden/scope-permissions branch July 6, 2026 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant