Skip to content

PDP-1182 SECCMP-1797: Downgrade contents permission from write to read in pr-workflow#1930

Merged
rjrudin merged 1 commit intodevelopfrom
fix/SECCMP-1797-remove-write-permissions
Apr 8, 2026
Merged

PDP-1182 SECCMP-1797: Downgrade contents permission from write to read in pr-workflow#1930
rjrudin merged 1 commit intodevelopfrom
fix/SECCMP-1797-remove-write-permissions

Conversation

@GAdityaVarma
Copy link
Copy Markdown

@GAdityaVarma GAdityaVarma commented Apr 8, 2026
edited by atlassian bot
Loading

SECCMP-1797: Downgrade contents permission from write to read

Problem

The copyright-validation job grants contents: write to the workflow token. This is unnecessary - the called reusable workflow (copyright-check.yml) only needs contents: read to checkout code and already declares that in its own permissions block.

Granting contents: write in a pull_request_target workflow expands the blast radius of any PwnRequest-style attack by giving the token ability to push commits, create tags, or modify repo contents.

Fix

# Before
permissions:
  contents: write     # unnecessary
  pull-requests: write
  issues: write

# After
permissions:
  contents: read      # least privilege
  pull-requests: write
  issues: write

References

@GAdityaVarma
SECCMP-1797: Downgrade contents permission from write to read
fbfe779 
The copyright-check reusable workflow only needs contents: read
to checkout code. contents: write was unnecessarily granting the
workflow token write access to repository contents, which expands
the blast radius of any PwnRequest-style attack.

The called workflow (copyright-check.yml) already declares its own
permissions block with contents: read.
Copilot AI review requested due to automatic review settings April 8, 2026 08:53
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Reduces the GitHub Actions token permissions for the copyright-validation job in the PR workflow to follow least-privilege guidance for pull_request_target workflows.

Changes:

  • Downgrade contents permission from write to read for the copyright-validation job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@GAdityaVarma GAdityaVarma changed the title SECCMP-1797: Downgrade contents permission from write to read in pr-workflow PDP-1182 SECCMP-1797: Downgrade contents permission from write to read in pr-workflow Apr 8, 2026
rjrudin
rjrudin previously approved these changes Apr 8, 2026
View reviewed changes
@rjrudin rjrudin changed the base branch from master to develop April 8, 2026 10:57
@rjrudin rjrudin dismissed their stale review April 8, 2026 10:57

The base branch was changed.

@rjrudin rjrudin merged commit 17558bc into develop Apr 8, 2026
12 of 16 checks passed
@rjrudin rjrudin deleted the fix/SECCMP-1797-remove-write-permissions branch April 8, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rjrudin rjrudin rjrudin left review comments

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GAdityaVarma @rjrudin