ci: add read-only workflow token permissions#1050
Open
Alb3e3 wants to merge 1 commit into
Open
Conversation
Alb3e3
force-pushed
the
harden-workflow-permissions
branch
from
2915e48 to
c1f1ee5
Compare
flichtenheld
requested changes
Jun 12, 2026
| push: | ||
| pull_request: | ||
|
|
||
| permissions: read-all |
Member
There was a problem hiding this comment.
If we change this I would prefer we document the actually needed permissions.
| CXX: ${{matrix.cxx}} | ||
| UBSAN_OPTIONS: print_stacktrace=1 | ||
| LIBPREFIX: /opt/${{inputs.libname}} | ||
| LIB_CONFIGURE: ${{inputs.libconfigure}} |
Member
There was a problem hiding this comment.
I don't exactly understand what this protects against? Injection by whom? This is all hard-coded stuff.
| run: | | ||
| ${{inputs.ovpnconfigureenv}} \ | ||
| ./configure --with-crypto-library=${{inputs.ovpnlibname}} ${{inputs.ovpnconfigureflags}} | ||
| env -S "$OVPN_CONFIGURE_ENV" \ |
Member
There was a problem hiding this comment.
Does not actually work. See GHA run.
env: only ${VARNAME} expansion is supported, error at: $LIBPREFIX/include" OPENSSL_LIBS="-L$LIBPREFIX/lib -lssl -lcrypto" LDFLAGS="-Wl,-rpath=$LIBPREFIX/lib"
Set explicit, least-privilege GitHub Actions token permissions for the CI, Coverity, Doxygen, and SSL library test workflows. The build and test jobs only need repository contents read access. The Doxygen deploy job already declares its Pages and OIDC permissions at the job level, so the workflow default can stay read-only.
Alb3e3
force-pushed
the
harden-workflow-permissions
branch
from
c1f1ee5 to
342051e
Compare
Alb3e3
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
All four GitHub Actions workflows lacked an explicit workflow-level
permissions:block. Without one, each run inherits the repository default GITHUB_TOKEN permissions, which can be broader than these jobs need.This revision keeps the patch focused on workflow token permissions and sets the default token scope to read-only repository contents access.
Changes
build.yaml: addpermissions: contents: readcoverity-scan.yml: addpermissions: contents: readdoxygen.yml: addpermissions: contents: read; the deploy job keeps its existing job-levelpages: writeandid-token: writepermissionstest-ssllib.yml: addpermissions: contents: readVerification
Result:
yaml ok.