Skip to content

PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#255

Open
GAdityaVarma wants to merge 2 commits intodevelopfrom
fix/SECCMP-1797-harden-permissions
Open

PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#255
GAdityaVarma wants to merge 2 commits intodevelopfrom
fix/SECCMP-1797-harden-permissions

Conversation

@GAdityaVarma
Copy link
Copy Markdown
Contributor

@GAdityaVarma GAdityaVarma commented Apr 8, 2026

SECCMP-1797: Add top-level permissions to restrict default token

Adds permissions: contents: read at the workflow level to restrict the default GITHUB_TOKEN scope. Without this, all jobs inherit the full pull_request_target write token.

The copyright-validation job already declares its own permissions block which overrides the default for that specific job.

Ref: Preventing pwn requests

rjrudin and others added 2 commits January 16, 2026 14:48
@rjrudin
MLE-25780 Updating references to marklogic-community
f6b4a3c
@GAdityaVarma
SECCMP-1797: Add top-level permissions to restrict default token
6c315cb 
Adds explicit top-level permissions: contents: read to limit the
default GITHUB_TOKEN scope for all jobs. Individual jobs that need
write access (copyright-validation) already declare their own
permissions block which overrides the default.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.
Copilot AI review requested due to automatic review settings April 8, 2026 13:59
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens GitHub Actions security for the pull_request_target workflow by restricting the default GITHUB_TOKEN permissions at the workflow level, reducing exposure to unintended write-scoped token usage across jobs.

Changes:

  • Adds a top-level permissions block setting contents: read for the workflow.
  • Keeps the copyright-validation job’s explicit permission overrides intact.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rjrudin rjrudin changed the base branch from master to develop April 8, 2026 14:03
@GAdityaVarma GAdityaVarma changed the title SECCMP-1797: Add top-level permissions to restrict default token PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token Apr 8, 2026
@SameeraPriyathamTadikonda
Copy link
Copy Markdown
Contributor

SameeraPriyathamTadikonda commented Apr 8, 2026

@GAdityaVarma Let's remove this workflow from this repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rjrudin rjrudin rjrudin approved these changes

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GAdityaVarma @SameeraPriyathamTadikonda @rjrudin