Skip to content

PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#624

Open
GAdityaVarma wants to merge 2 commits into
developfrom
fix/SECCMP-1797-harden-permissions
Open

PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#624
GAdityaVarma wants to merge 2 commits into
developfrom
fix/SECCMP-1797-harden-permissions

Conversation

@GAdityaVarma
Copy link
Copy Markdown
Contributor

@GAdityaVarma GAdityaVarma commented Apr 8, 2026

SECCMP-1797: Add top-level permissions to restrict default token

Adds permissions: contents: read at the workflow level to restrict the default GITHUB_TOKEN scope. Without this, all jobs inherit the full pull_request_target write token.

The copyright-validation job already declares its own permissions block which overrides the default for that specific job.

Ref: Preventing pwn requests

rjrudin and others added 2 commits March 19, 2026 09:44
@rjrudin
MLE-28021 Small docs fix
5984d37 
Just pointing to releases page to avoid having to update the tag name in future releases.
@GAdityaVarma
SECCMP-1797: Add top-level permissions to restrict default token
79ec6b2 
Adds explicit top-level permissions: contents: read to limit the
default GITHUB_TOKEN scope for all jobs. Individual jobs that need
write access (copyright-validation) already declare their own
permissions block which overrides the default.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.
Copilot AI review requested due to automatic review settings April 8, 2026 14:01
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Restricts the default GITHUB_TOKEN scope for the pull_request_target workflow by setting workflow-level permissions, reducing exposure of write-capable tokens to jobs that don’t explicitly need them.

Changes:

  • Add workflow-level permissions: contents: read to limit default token scope.
  • Keep job-level elevated permissions only for copyright-validation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@GAdityaVarma GAdityaVarma changed the title SECCMP-1797: Add top-level permissions to restrict default token PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token Apr 8, 2026
@rjrudin rjrudin changed the base branch from main to develop April 8, 2026 14:12
@SameeraPriyathamTadikonda
Copy link
Copy Markdown
Contributor

SameeraPriyathamTadikonda commented Apr 8, 2026

@GAdityaVarma let's remove this workflow from this repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rjrudin rjrudin rjrudin approved these changes

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GAdityaVarma @SameeraPriyathamTadikonda @rjrudin