[sec-check] fix: Token-Permissions — ai-fix.yml deny-all top-level, split pull_request_target to dedicated job#19945
Open
clubanderson wants to merge 2 commits into
Open
[sec-check] fix: Token-Permissions — ai-fix.yml deny-all top-level, split pull_request_target to dedicated job#19945clubanderson wants to merge 2 commits into
clubanderson wants to merge 2 commits into
Conversation
added 2 commits
June 9, 2026 20:29
…ions: read-all at workflow level Add top-level `permissions: read-all` to 39 workflows that previously declared write permissions (issues, pull-requests, contents) at the workflow level without a restrictive default, violating the principle of least privilege and the GitHub Scorecard Token-Permissions check. For single-job and reusable workflows the original write grants are preserved at the job level. For multi-job workflows the top-level default is tightened to read-all; existing per-job grants are kept as-is (jobs that already had per-job permissions are unchanged). Fixes #17336 Signed-off-by: sec-check <sec-check@hive.kubestellar.io>
Signed-off-by: sec-check <sec-check@hive.kubestellar.io>
kubestellar-prow
Bot
added
the
dco-signoff: yes
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for kubestellarconsole ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
🐝 Hi @clubanderson! I'm Trusted users — org members and contributors with write access — can mention Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies. |
kubestellar-prow
Bot
added
the
needs-rebase
Contributor
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Contributor
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
kubestellar-prow
Bot
added
the
size/L
This was referenced Jun 29, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens GitHub Actions token permissions, primarily to address the Scorecard Token-Permissions finding around pull_request_target usage in ai-fix.yml, by moving away from workflow-level write permissions and scoping writes to only the jobs that need them.
Changes:
- Updates
ai-fix.ymltopermissions: {}(deny-all), splitspull_request_targethandling into a dedicated job with a same-repo guard, and pins the reusable workflow to a commit SHA. - Applies a repo-wide pattern of setting workflow-level
permissions: read-alland moving write permissions to job-level blocks. - Adds/adjusts job-level permissions across numerous workflows to reduce privilege on events like
pull_request_target.
Reviewed changes
Copilot reviewed 39 out of 39 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/ai-fix.yml | Deny-all at workflow level; splits PR-target behavior into a guarded job; pins reusable workflow by SHA. |
| .github/workflows/workflow-failure-issue.yml | Moves write permissions from workflow scope to job scope. |
| .github/workflows/triage-command.yml | Switches workflow default to read-all (but currently missing required job-level writes for issue edits/comments). |
| .github/workflows/tier-classifier.yml | Scopes pull-requests: write to the job and keeps contents read explicit. |
| .github/workflows/test-coverage-check.yml | Scopes PR/issue write permissions to the job. |
| .github/workflows/stale.yml | Scopes issues: write to the job. |
| .github/workflows/preview-status.yml | Scopes pull-requests: write to the job. |
| .github/workflows/pr-closed-verification.yml | Scopes PR/issue write permissions to the job. |
| .github/workflows/pr-claude-notice.yml | Scopes pull-requests: write to the job with same-repo guard. |
| .github/workflows/post-merge-verify.yml | Switches workflow default to read-all (but currently missing required job-level writes for PR/issue reporting). |
| .github/workflows/perf-ttfi.yml | Switches workflow default to read-all and introduces job-level scoping where needed. |
| .github/workflows/perf-react-commits.yml | Switches workflow default to read-all and introduces job-level scoping where needed. |
| .github/workflows/perf-react-commits-idle.yml | Switches workflow default to read-all and introduces job-level scoping where needed. |
| .github/workflows/perf-bundle-size.yml | Switches workflow default to read-all and introduces job-level scoping where needed. |
| .github/workflows/nil-safety.yml | Switches workflow default to read-all. |
| .github/workflows/nightly-ux-journeys.yml | Switches workflow default to read-all. |
| .github/workflows/nightly-gh-aw-version-check.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/nightly-dast.yml | Switches workflow default to read-all (but currently missing required job-level issues write for issue creation/updates). |
| .github/workflows/nightly-dashboard-health.yml | Switches workflow default to read-all (but currently missing required job-level issues write for issue creation/updates). |
| .github/workflows/nightly-compliance.yml | Switches workflow default to read-all (but currently missing required job-level issues write/actions read for issue creation + artifact download). |
| .github/workflows/new-contributor-pr-gate.yml | Moves PR/issue write permissions to the guarded job. |
| .github/workflows/label-helper.yml | Moves PR/issue write permissions to the reusable-workflow job. |
| .github/workflows/kb-nightly-validation.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/hive-trust-gate.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/ga4-mobile-monitor.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/ga4-error-regression.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/ga4-error-monitor.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/feedback.yml | Moves PR write permissions to the reusable-workflow job. |
| .github/workflows/coverage-weekly-review.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/coverage-gate.yml | Adds job-level permissions for contents read + PR write. |
| .github/workflows/copilot-dco.yml | Moves PR write permissions to the reusable-workflow job. |
| .github/workflows/console-issue-labels.yml | Moves issues write permissions to the job. |
| .github/workflows/console-app-smoke.yml | Switches workflow default to read-all (but currently missing required job-level issues write for issue creation; fix recommended). |
| .github/workflows/console-app-roundtrip.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/auto-test-gen.yml | Adds job-level permissions for contents read + PR write (guarded). |
| .github/workflows/auth-login-smoke.yml | Adds job-level permissions for contents read + issues write. |
| .github/workflows/assignment-helper.yml | Moves issues write permissions to the reusable-workflow job. |
| .github/workflows/ai-attribution.yml | Adds job-level permissions for contents read + PR write. |
| .github/workflows/add-help-wanted.yml | Moves issues write permissions to the reusable-workflow job. |
| .github/workflows/_perf-regression-issue.yml | Adds job-level permissions for contents read + issues write. |
| permissions: | ||
| contents: read | ||
| issues: write | ||
| permissions: read-all # default read; writes scoped to job below |
| permissions: | ||
| contents: read | ||
| issues: write | ||
| permissions: read-all # default read; writes scoped to job below |
| contents: read | ||
| issues: write | ||
| pull-requests: write | ||
| permissions: read-all # default read; writes scoped to job below |
| permissions: | ||
| contents: read | ||
| issues: write | ||
| permissions: read-all # default read; writes scoped to job below |
| permissions: | ||
| contents: read | ||
| issues: write | ||
| permissions: read-all # default read; writes scoped to job below |
| permissions: | ||
| contents: read | ||
| issues: write | ||
| permissions: read-all # default read; writes scoped to job below |
Collaborator
Author
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix
Fixes the
pull_request_targetToken-Permissions regression inai-fix.yml.Changes:
permissions: {}at the workflow level (deny-all default)pull_request_targetfrom standard triggers:ai-fixjob: handlesworkflow_dispatchandissues: labeledwith minimalissues: writescopeupdate-issue-on-prjob: handlespull_request_target(same-repo only) withissues: write+pull-requests: readThis eliminates the overly-broad
contents: writeandpull-requests: writethat were granted to all workflow events, including fork-PRpull_request_targetevents.Fixes #19944
Filed by sec-check agent (ACMM L6 — full mode)