Skip to content

Add explicit permissions to GitHub Actions workflows #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jonrohan merged 5 commits into from
Dec 2, 2025
Merged

Add explicit permissions to GitHub Actions workflows #46

jonrohan merged 5 commits into from
Dec 2, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 20, 2025
edited
Loading

Two workflow files lacked explicit permission declarations, relying on default permissions which violates least-privilege principles.

Changes

Added permissions: contents: read at job level to:

  • .github/workflows/nodejs.yml (build job)
  • .github/workflows/publish.yml (publish-npm job)

Both workflows only require repository read access for actions/checkout. The publish workflow authenticates to npm using NODE_AUTH_TOKEN secret rather than GitHub permissions.

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v2
      # ...

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • www.googleapis.com
    • Triggering command: node install.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Please define actions workflow permissions</issue_title>
<issue_description>## Workflow permissions improvement

There are 2 workflow files that are currently lacking explicit permissions

Affected Workflow Files

The following workflow files need permissions to be explicitly defined:

Request

Ensure permissions are explicitly defined. Below are Copilot prompts/instructions if you would like Copilot's assistance with addressing this.

GitHub Copilot Assignment Prompts and Context

Task: Add explicit permissions to GitHub Actions workflow files that are currently missing them.

Scope: Update the workflow files listed above to include appropriate permissions: blocks.

Analysis Methodology:

  1. Gather Current State: Check if the workflow has any existing permissions defined
  2. Inventory Workflow Actions:
    • Actions performed directly by the workflow
    • API calls made by the workflow
    • External actions included via uses: statements
  3. Determine Required Permissions: Map each action to its minimum required permissions
  4. Synthesize Minimal Permissions: Create permissions block with only necessary permissions

Requirements:

  1. Add a permissions: block to each workflow file that doesn't have one
  2. Start with contents: read as the minimum permission
  3. Add additional permissions only if the workflow actually needs them based on the actions it performs
  4. Place the permissions: block at the job level or workflow level as appropriate
  5. Ensure the syntax is correct and follows YAML formatting
  6. Maintain existing content formatting, including indentation and comments

Files to modify: See the list of affected workflow files above.

Acceptance criteria:

  • All listed workflow files have explicit permissions defined
  • Permissions follow the principle of least privilege
  • YAML syntax is valid
  • Workflows still function correctly after changes

Copilot Instructions:

Please create a pull request that adds appropriate permissions: blocks to each of the workflow files listed above. Analyze each workflow to determine the minimum permissions required based on the actions it performs, and add only those necessary permissions.
</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits November 20, 2025 19:35
@jonrohan
Initial analysis of workflow permissions requirements
efcc9a5 
Co-authored-by: jonrohan <54012+jonrohan@users.noreply.github.com>
@jonrohan
Add explicit permissions to GitHub Actions workflows
87de5eb 
Co-authored-by: jonrohan <54012+jonrohan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add explicit permissions to workflow files Add explicit permissions to GitHub Actions workflows Nov 20, 2025
Copilot AI requested a review from jonrohan November 20, 2025 19:40
@jonrohan jonrohan marked this pull request as ready for review November 20, 2025 21:04
@jonrohan jonrohan requested a review from a team as a code owner November 20, 2025 21:04
Copilot AI review requested due to automatic review settings November 20, 2025 21:04
@jonrohan jonrohan enabled auto-merge November 20, 2025 21:04
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security by adding explicit permission declarations to GitHub Actions workflows, following the principle of least privilege instead of relying on default permissions.

  • Added permissions: contents: read at the job level to both workflow files
  • Both workflows only require read access for repository checkout operations
  • The publish workflow uses npm token authentication independently of GitHub permissions

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/nodejs.yml Added explicit contents: read permission to the build job for repository checkout
.github/workflows/publish.yml Added explicit contents: read permission to the publish-npm job for repository checkout

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jonrohan jonrohan disabled auto-merge December 2, 2025 20:58
@jonrohan jonrohan enabled auto-merge December 2, 2025 21:00
@jonrohan jonrohan merged commit 2693c2d into main Dec 2, 2025
4 checks passed
@jonrohan jonrohan deleted the copilot/define-workflow-permissions branch December 2, 2025 21:06
@jonrohan jonrohan mentioned this pull request Dec 2, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@francinelucca francinelucca francinelucca approved these changes

@jonrohan jonrohan Awaiting requested review from jonrohan

Assignees

@jonrohan jonrohan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please define actions workflow permissions

3 participants

@francinelucca @jonrohan