From 89aeb29c0416750e90889bf28e7fb8a3eeb12d39 Mon Sep 17 00:00:00 2001 From: Ismo Vuorinen Date: Sat, 7 Feb 2026 13:46:03 +0200 Subject: [PATCH] fix(ci): replace broad permissions with specific scopes in workflows Replace read-all/write-all with minimum required permission scopes across all GitHub Actions workflows to follow the principle of least privilege (SonarCloud rule githubactions:S8234). --- .github/workflows/changelog.yml | 6 ++++-- .github/workflows/linters.yml | 3 ++- .github/workflows/new-release.yml | 6 ++++-- .github/workflows/pre-commit-autoupdate.yml | 3 ++- .github/workflows/semantic-pr.yml | 3 ++- .github/workflows/sync-labels.yml | 3 ++- .github/workflows/update-submodules.yml | 6 ++++-- 7 files changed, 20 insertions(+), 10 deletions(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 1eb2b65..a3a3443 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -9,13 +9,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: debug-changelog: runs-on: ubuntu-latest - permissions: write-all + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index a5ff5d6..9499c82 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -11,7 +11,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: Linter: diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml index 5cad4b6..45456a9 100644 --- a/.github/workflows/new-release.yml +++ b/.github/workflows/new-release.yml @@ -11,13 +11,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: new-daily-release: runs-on: ubuntu-latest - permissions: write-all + permissions: + contents: write outputs: created: ${{ steps.daily-version.outputs.created }} diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml index 55247ee..a44ab2d 100644 --- a/.github/workflows/pre-commit-autoupdate.yml +++ b/.github/workflows/pre-commit-autoupdate.yml @@ -12,7 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: auto-update: diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml index f882012..a4e7ab8 100644 --- a/.github/workflows/semantic-pr.yml +++ b/.github/workflows/semantic-pr.yml @@ -14,7 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + pull-requests: read jobs: semantic-pr: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index aab4089..09a5e85 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -19,7 +19,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: SyncLabels: diff --git a/.github/workflows/update-submodules.yml b/.github/workflows/update-submodules.yml index 9b304c1..a32d76f 100644 --- a/.github/workflows/update-submodules.yml +++ b/.github/workflows/update-submodules.yml @@ -12,13 +12,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: update-submodules: runs-on: ubuntu-latest - permissions: write-all + permissions: + contents: write steps: - name: Checkout repository