Problem
Workflows in this repo currently rely on the repo-wide default GITHUB_TOKEN permission scope. That default is invisible from the workflow files themselves: a reader has to check the org/repo settings page to know what scope the runtime token actually has, and a future job that does gh pr comment or git push would silently inherit whatever the default is at that moment.
The hardening rule (Phase 3 of the org-wide actions audit) is: every workflow declares its own permissions: block, so the safe scope is pinned in code next to the jobs that depend on it.
Change
Add a top-level permissions: block to each workflow:
pr-open.yml: contents: read
This is behavior-neutral today (no job in these workflows writes via GITHUB_TOKEN beyond what the block grants), but it pins the safe posture so any future job that needs more has to ask for it explicitly.
Acceptance criteria
- Every workflow file has a top-level
permissions: block
- No job loses access to a token scope it actually uses
- CI passes on the PR
Part of the org-wide GitHub Actions hardening project.
Problem
Workflows in this repo currently rely on the repo-wide default GITHUB_TOKEN permission scope. That default is invisible from the workflow files themselves: a reader has to check the org/repo settings page to know what scope the runtime token actually has, and a future job that does
gh pr commentorgit pushwould silently inherit whatever the default is at that moment.The hardening rule (Phase 3 of the org-wide actions audit) is: every workflow declares its own
permissions:block, so the safe scope is pinned in code next to the jobs that depend on it.Change
Add a top-level
permissions:block to each workflow:pr-open.yml: contents: readThis is behavior-neutral today (no job in these workflows writes via GITHUB_TOKEN beyond what the block grants), but it pins the safe posture so any future job that needs more has to ask for it explicitly.
Acceptance criteria
permissions:blockPart of the org-wide GitHub Actions hardening project.