From 83bef7ad65c4c03750c081a5aed4205e86e5d349 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Mon, 16 Mar 2026 11:22:17 -0500 Subject: [PATCH] fix: move workflow permissions from job level to workflow level Job-level permissions are capped by workflow-level permissions. With workflow-level set to only `contents: read`, job-level write permissions were silently capped, breaking actions like markPullRequestReadyForReview. --- .github/workflows/auto-labeler.yml | 4 +--- .github/workflows/codeql.yml | 6 ++---- .github/workflows/mark-ready-when-ready.yml | 10 ++++------ .github/workflows/pr-title.yml | 6 ++---- .github/workflows/release.yml | 18 ++++++------------ .github/workflows/scorecard.yml | 6 ++---- .github/workflows/stale.yml | 5 ++--- 7 files changed, 19 insertions(+), 36 deletions(-) diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml index 976eec8..a56305c 100644 --- a/.github/workflows/auto-labeler.yml +++ b/.github/workflows/auto-labeler.yml @@ -6,11 +6,9 @@ on: types: [opened, reopened, edited, synchronize] permissions: contents: read + pull-requests: write jobs: main: - permissions: - contents: read - pull-requests: write uses: github-community-projects/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e with: config-name: release-drafter.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0380a03..cfc4dae 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,16 +21,14 @@ on: - cron: "0 0 * * 1" permissions: + actions: read contents: read + security-events: write jobs: analyze: name: Analyze runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write strategy: fail-fast: false diff --git a/.github/workflows/mark-ready-when-ready.yml b/.github/workflows/mark-ready-when-ready.yml index 5deb181..6d32ac7 100644 --- a/.github/workflows/mark-ready-when-ready.yml +++ b/.github/workflows/mark-ready-when-ready.yml @@ -5,7 +5,10 @@ on: types: [opened, edited, labeled, unlabeled, synchronize] permissions: - contents: read + checks: read + contents: write + pull-requests: write + statuses: read concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} @@ -15,11 +18,6 @@ jobs: mark-ready: name: Mark as ready after successful checks runs-on: ubuntu-latest - permissions: - checks: read - contents: write - pull-requests: write - statuses: read if: | contains(github.event.pull_request.labels.*.name, 'Mark Ready When Ready') && github.event.pull_request.draft == true diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 27521b8..8df840a 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -6,12 +6,10 @@ on: types: [opened, reopened, edited, synchronize] permissions: contents: read + pull-requests: read + statuses: write jobs: main: - permissions: - contents: read - pull-requests: read - statuses: write uses: github-community-projects/ospo-reusable-workflows/.github/workflows/pr-title.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e secrets: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1f5d8a..f082d8c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,12 +6,14 @@ on: types: [closed] branches: [main] permissions: - contents: read + attestations: write + contents: write + discussions: write + id-token: write + packages: write + pull-requests: read jobs: release: - permissions: - contents: write - pull-requests: read uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e with: publish: true @@ -20,11 +22,6 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} release_image: needs: release - permissions: - contents: read - packages: write - id-token: write - attestations: write uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-image.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e with: image-name: ${{ github.repository }} @@ -37,9 +34,6 @@ jobs: image-registry-password: ${{ secrets.GITHUB_TOKEN }} release_discussion: needs: release - permissions: - contents: read - discussions: write uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e with: full-tag: ${{ needs.release.outputs.full-tag }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c554a6b..0bc93d5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,15 +15,13 @@ on: permissions: contents: read + id-token: write + security-events: write jobs: analysis: name: Merge to Main Scorecard analysis runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - id-token: write steps: - name: Harden the runner (Audit all outbound calls) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 17c96be..c096fb8 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,13 +5,12 @@ on: permissions: contents: read + issues: write + pull-requests: read jobs: stale: runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: read steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1