Skip to content

docs: apply deny-by-default permissions to all README examples#425

Open
timdittler wants to merge 2 commits intomainfrom
docs-secret-scan-permissions
Open

docs: apply deny-by-default permissions to all README examples#425
timdittler wants to merge 2 commits intomainfrom
docs-secret-scan-permissions

Conversation

@timdittler
Copy link
Copy Markdown
Contributor

@timdittler timdittler commented Apr 13, 2026
edited
Loading

Summary

  • Adds top-level permissions: {} to every template example in the README (intro template + 17 workflows)
  • Per-job permissions: blocks were already present and are left unchanged
  • Verified the pattern end-to-end in Staffbase/casper#181, Staffbase/customer-control#3940, Staffbase/plugins#1212

Why

GitHub Actions does not auto-drop workflow-level permissions when you set job-level ones. Jobs without their own permissions: block still inherit whatever is at the workflow level — or, if nothing is set, the repo/org default GITHUB_TOKEN scope (often permissive write-all).

Setting permissions: {} at the workflow level is the "deny by default" belt that pairs with the per-job "grant specifically" suspenders. It protects consumers of these examples against:

  • Repos with permissive default GITHUB_TOKEN scopes
  • Future job additions to a workflow that forget to declare permissions

Originally triggered by the Copilot review on Staffbase/customer-control#3940, which flagged the missing top-level block.

Test plan

  • Render the README on GitHub and spot-check a few collapsed examples
  • Confirm CI/yamllint passes (no yaml changes, docs only)

timdittler and others added 2 commits April 13, 2026 10:14
@timdittler @claude
docs: add top-level permissions: {} to secret-scan example
5a3aec7 
Completes the per-job permissions pattern by denying all permissions at
the workflow level by default, then granting only contents: read to the
trufflehog job. Prevents consumers of the reusable workflow from
inheriting permissive GITHUB_TOKEN defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@timdittler @claude
docs: add top-level permissions: {} to all README examples
94c8677 
Applies deny-by-default permissions at the workflow level across every
template example (intro + 17 workflows). Per-job permissions already
existed and were left unchanged.

GitHub does not auto-zero workflow-level permissions when job-level
permissions are set; jobs without their own block still inherit the
workflow-level scope (or the repo default, often write-all). The
top-level {} ensures that any job without an explicit permissions block
gets nothing instead of the repo default, protecting consumers against
future job additions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@timdittler timdittler changed the title docs: complete per-job permissions in secret-scan example docs: apply deny-by-default permissions to all README examples Apr 13, 2026
@timdittler timdittler requested a review from 0x46616c6b April 13, 2026 08:21
@timdittler timdittler marked this pull request as ready for review April 13, 2026 08:22
@timdittler timdittler requested a review from a team as a code owner April 13, 2026 08:22
@timdittler timdittler requested a review from flaxel April 13, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0x46616c6b 0x46616c6b Awaiting requested review from 0x46616c6b

@flaxel flaxel Awaiting requested review from flaxel flaxel is a code owner automatically assigned from Staffbase/workflow-enthusiasts

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timdittler