From 6105dcfe7fdd1ec38ad9971572823e0696039391 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Sat, 25 Apr 2026 16:07:54 +0000 Subject: [PATCH] chore(ci): add top-level permissions: read-all to workflows (RAN-46 AC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes one of the audit gaps from RAN-46 AC #2 ("Workflow permissions: default to read-all, scoped up per job") + Scorecard Token-Permissions finding. Before: - ci-java.yml had no permissions declaration anywhere — relied on repo-default GITHUB_TOKEN scope (which can be write-all on older repos). - beta-java.yml + release-java.yml only had job-level scopes; missing the explicit top-level read-all that Scorecard checks for. After: - All three workflows declare `permissions: read-all` at the top level. - ci-java.yml's build job now declares `contents: read` explicitly (no other scopes needed — Sonar uses SONAR_TOKEN, not GITHUB_TOKEN). - beta-java.yml and release-java.yml keep their existing job-level `contents: write` (and `packages: write` for beta) which override the top-level for the deploy/tag steps. Audit confirmation (orthogonal to the (A)/(B) security-stack ruling still pending on RAN-46): - All `uses:` SHA-pinned across all 4 workflows (Pinned-Dependencies) - No pull_request_target anywhere (Dangerous-Workflow) - scorecard.yml already had `permissions: read-all` at top level --- .github/workflows/beta-java.yml | 2 ++ .github/workflows/ci-java.yml | 4 ++++ .github/workflows/release-java.yml | 2 ++ 3 files changed, 8 insertions(+) diff --git a/.github/workflows/beta-java.yml b/.github/workflows/beta-java.yml index 212c890f..44f41bed 100644 --- a/.github/workflows/beta-java.yml +++ b/.github/workflows/beta-java.yml @@ -2,6 +2,8 @@ name: Beta Release (Java) on: workflow_dispatch: # Manual trigger ONLY +permissions: read-all + jobs: beta: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml index 9fce4340..cdc31c93 100644 --- a/.github/workflows/ci-java.yml +++ b/.github/workflows/ci-java.yml @@ -6,9 +6,13 @@ on: pull_request: branches: [main] +permissions: read-all + jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 with: diff --git a/.github/workflows/release-java.yml b/.github/workflows/release-java.yml index bbabb535..ab36ec64 100644 --- a/.github/workflows/release-java.yml +++ b/.github/workflows/release-java.yml @@ -6,6 +6,8 @@ on: description: 'Release version (e.g., 0.1.0)' required: true +permissions: read-all + jobs: release: runs-on: ubuntu-latest