Skip to content

ci: declare minimum permissions on CodeQL workflow#1041

Open
arpitjain099 wants to merge 1 commit into
spotify:masterfrom
arpitjain099:chore/declare-codeql-perms
Open

ci: declare minimum permissions on CodeQL workflow#1041
arpitjain099 wants to merge 1 commit into
spotify:masterfrom
arpitjain099:chore/declare-codeql-perms

Conversation

@arpitjain099

Copy link
Copy Markdown

Currently .github/workflows/codeql-analysis.yml carries no permissions block, so the analyze run inherits whatever the repo or org default GITHUB_TOKEN scope is set to. This PR declares the three scopes the workflow actually needs at the top level: actions: read, contents: read, and security-events: write for the SARIF upload step. It is the same shape the current GitHub CodeQL starter template recommends.

The reason to nail this down explicitly even when the inherited default may already be reasonable is the supply-chain threat surfaced by CVE-2025-30066 (the March 2025 tj-actions/changed-files compromise): a tampered third-party action can read GITHUB_TOKEN out of the runner and the blast radius is whatever scope the token carries. Pinning the workflow scope caps the runtime authority of every action that runs inside it, gives drift protection if the org default ever widens, and is what OpenSSF Scorecard's Token-Permissions check actually credits.

YAML validated locally with yaml.safe_load.

@codecov

codecov Bot commented Jun 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.92%. Comparing base (05add13) to head (7967a1e).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff            @@
##             master    #1041   +/-   ##
=========================================
  Coverage     91.92%   91.92%           
  Complexity      283      283           
=========================================
  Files            27       27           
  Lines          1015     1015           
  Branches         86       86           
=========================================
  Hits            933      933           
  Misses           54       54           
  Partials         28       28           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/declare-codeql-perms branch from 7967a1e to 8dd5ab0 Compare June 10, 2026 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants