Skip to content

ci: declare workflow-level contents: read on 10 read-only workflows#6311

Open
arpitjain099 wants to merge 1 commit into
elastic:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly
Open

ci: declare workflow-level contents: read on 10 read-only workflows#6311
arpitjain099 wants to merge 1 commit into
elastic:mainfrom
arpitjain099:chore/declare-workflow-perms-readonly

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026

Summary of your changes

Pins the default GITHUB_TOKEN to contents: read on the 10 workflows in .github/workflows/ that don't actually use the default token for any write operation. Several look write-y from the filename, but the actual git push goes through a separate PAT (CLOUDSEC_MACHINE_TOKEN) not GITHUB_TOKEN:

  • arm-template-lint.yml: ARM template lint, no GitHub API.
  • bump-version.yml: workflow_dispatch; checkouts and pushes via CLOUDSEC_MACHINE_TOKEN. Default token unused.
  • ci-pull_request.yml: standard PR CI. The only secrets.GITHUB_TOKEN reference is COVERALLS_TOKEN passed to goveralls, which uses the token to identify with Coveralls (token read for auth, not GitHub API write).
  • cloudformation-ci.yml: only the push trigger is active; the pull_request_target block is commented out. No GitHub API.
  • packaging.yml: build only.
  • sync-internal-cloudbeat-version.yml: workflow_dispatch; all git ops use CLOUDSEC_MACHINE_TOKEN.
  • sync-rule-templates.yml: same pattern; CLOUDSEC_MACHINE_TOKEN does the writes.
  • test-opa-coverage.yml, test-opa-policies.yml, unit-test.yml: standard test workflows, no GitHub API.

eks-ci.yml is intentionally left out. It passes GITHUB_TOKEN to andrcuns/allure-publish-action which posts allure reports as PR comments, so it needs pull-requests: write. Better to leave that scope decision to a maintainer.

Related Issues

None. This is a standalone CI hygiene PR.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued at the workflow level. Pinning per workflow caps that runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

Checklist

  • YAML validated locally with yaml.safe_load on each touched file.
  • No functional change; only the scope of the implicit GITHUB_TOKEN is narrowed.
  • Workflows whose actual writes use CLOUDSEC_MACHINE_TOKEN are unaffected by this scope change.

@arpitjain099
ci: declare workflow-level contents: read on 10 read-only workflows
fc54fef 
Pins the default GITHUB_TOKEN to contents: read on the 10 workflows in
.github/workflows/ that don't actually use the default token for any
write operation. Several of these are bump/sync workflows that look
write-y from the filename, but the actual git push goes through a
separate PAT (CLOUDSEC_MACHINE_TOKEN), not GITHUB_TOKEN:

- arm-template-lint.yml: ARM template lint, no GitHub API.
- bump-version.yml: workflow_dispatch; checkouts and pushes via
  CLOUDSEC_MACHINE_TOKEN. Default token unused.
- ci-pull_request.yml: standard PR CI. The only secrets.GITHUB_TOKEN
  reference is COVERALLS_TOKEN passed to goveralls, which uses the
  token to authenticate with Coveralls (token read, not GitHub API
  write).
- cloudformation-ci.yml: only the push trigger is active; the
  pull_request_target block is commented out. No GitHub API.
- packaging.yml: build only.
- sync-internal-cloudbeat-version.yml: workflow_dispatch; all git ops
  via CLOUDSEC_MACHINE_TOKEN.
- sync-rule-templates.yml: same pattern; CLOUDSEC_MACHINE_TOKEN does
  the writes.
- test-opa-coverage.yml, test-opa-policies.yml, unit-test.yml:
  standard test workflows, no GitHub API.

eks-ci.yml is intentionally left out. It passes GITHUB_TOKEN to
andrcuns/allure-publish-action which posts allure reports as PR
comments, so it needs pull-requests: write. Better to let a maintainer
declare that scope.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per
workflow caps the runtime authority irrespective of repo or org
default, gives drift protection if the default ever widens, and is
credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 14, 2026 22:18
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented May 14, 2026

This pull request does not have a backport label. Could you fix it @arpitjain099? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@arpitjain099
Copy link
Copy Markdown
Author

arpitjain099 commented May 14, 2026

Hi maintainers, mergify is asking for a backport label and external contributors can't add labels themselves. Could you apply backport-skip here? This is a workflow-permissions hygiene change with no functional impact, so it shouldn't need backporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@arpitjain099 arpitjain099

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099