ci(workflows): assign explicit permissions #284

caugner · 2025-10-16T15:48:27Z

Description

Adds explicit permissions: configuration to workflow files that don't already have permissions defined either at the workflow level or for all jobs.

If the workflow doesn't use secrets.GITHUB_TOKEN or github.token, sets permissions: {} to restrict all permissions.
If the workflow uses the GitHub token, adds permissions: with required permissions.

Motivation

Security best practice to explicitly declare GITHUB_TOKEN permissions instead of relying on default permissions, following the principle of least privilege by ensuring workflows only have the permissions they actually need.

Additional details

See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Related issues and pull requests

Part of mdn/fred#924.

ci(workflows): assign explicit permissions

986f3e7

caugner requested review from a team and argl and removed request for a team October 16, 2025 15:48

caugner marked this pull request as ready for review October 16, 2025 16:19

argl approved these changes Oct 17, 2025

View reviewed changes

argl merged commit 4e2560b into main Oct 17, 2025
4 checks passed

argl deleted the workflow-permissions branch October 17, 2025 13:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci(workflows): assign explicit permissions #284

ci(workflows): assign explicit permissions #284

Uh oh!

caugner commented Oct 16, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

ci(workflows): assign explicit permissions #284

ci(workflows): assign explicit permissions #284

Uh oh!

Conversation

caugner commented Oct 16, 2025

Description

Motivation

Additional details

Related issues and pull requests

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants