Skip to content

feat: add explicit permissions to GitHub workflows #985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add explicit permissions to GitHub workflows #985

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 16, 2026
edited
Loading

Context

GitHub Actions workflows should follow the principle of least privilege by declaring explicit permissions rather than relying on default permissions. This reduces attack surface and improves security posture.

Related Jira ticket

N/A

Screenshots

N/A

Changes

Added explicit permissions: contents: read declarations to workflows that only need repository read access:

  • .github/workflows/ci.yml - CI workflow for builds, lints, and tests on PRs
  • .github/workflows/copilot-setup-steps.yml - Setup validation workflow

The release.yml workflow already had appropriate permissions defined (contents: read, pages: write, id-token: write) for its deployment operations.

permissions:
  contents: read

All workflows now explicitly declare their required permissions rather than inheriting default GITHUB_TOKEN permissions.

Original prompt

This section details on the original issue you should resolve

<issue_title>add explicit permisions to GH workflows</issue_title>
<issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@timowestnosto
feat: add explicit permissions to GitHub workflows
ad06047 
Co-authored-by: timowestnosto <13622115+timowestnosto@users.noreply.github.com>
Copilot AI changed the title [WIP] Add explicit permissions to GitHub workflows feat: add explicit permissions to GitHub workflows Jan 16, 2026
Copilot AI requested a review from timowestnosto January 16, 2026 09:35
@timowestnosto timowestnosto marked this pull request as ready for review January 16, 2026 09:55
Copilot AI review requested due to automatic review settings January 16, 2026 09:55
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security posture by adding explicit permission declarations to GitHub Actions workflows, following the principle of least privilege.

Changes:

  • Added permissions: contents: read to ci.yml workflow
  • Added permissions: contents: read to copilot-setup-steps.yml workflow
  • Verified release.yml already has appropriate permissions defined

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/ci.yml Added explicit read-only permissions for CI builds, lints, and tests
.github/workflows/copilot-setup-steps.yml Added explicit read-only permissions for setup validation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@timowestnosto timowestnosto Awaiting requested review from timowestnosto

At least 1 approving review is required to merge this pull request.

Assignees

@timowestnosto timowestnosto

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add explicit permisions to GH workflows

2 participants

@timowestnosto