ci(deploy): scope Pages permissions to the jobs that need them#136
Merged
Conversation
Security-review follow-up to #103 / #134. deploy.yml granted pages:write + id-token:write at the workflow level, so the `build` job (checkout, install, docs:generate, configure-pages, upload-pages-artifact) ran with an OIDC-mintable token it never uses. Confine the privileged scope to `deploy` and drop `build` to read-only: - workflow: contents: read - build: contents: read, pages: read (configure-pages reads the Pages config) - deploy: pages: write, id-token: write (deploy-pages publishes via OIDC) Needs a verification deploy run before merge (see PR body): deploy.yml only runs on push to main / workflow_dispatch, so it cannot be exercised from CI on a branch. https://claude.ai/code/session_01977J3EFoxeffXCHS2TE7Kw
IgorShevchik
had a problem deploying
to
github-pages
GitHub Actions
Failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security-review follow-up to #103 / #134 (deferred from that PR by agreement).
Problem
deploy.ymldeclared the privileged Pages scope at the workflow level, so every job inherited it. Thebuildjob (checkout, install,docs:generate,configure-pages,upload-pages-artifact) ran withid-token: write(an OIDC token it never mints) andpages: write(it never publishes).Change
Confine privilege to
deploy; dropbuildto read-only.contents:read, pages:write, id-token:writecontents:readbuildcontents:read, pages:readdeploypages:write, id-token:writebuildkeepspages: readbecauseactions/configure-pagesGETs the Pages site config to derive the base path;upload-pages-artifactneeds nopagesscope.Review & checks
Reviewed from five angles (eng / QA / security / CTO / docs) — the diff was assessed correct, no code changes requested on
deploy.yml. A dependency-free permission-invariant script confirms: workflow =={contents:read},buildhas noid-token/pages:write,deployscoped to exactly{pages:write, id-token:write}— 6/6 OK.deploy.ymlruns only onpush: main/workflow_dispatch, so CI cannot exercise it on a branch.workflow_dispatchon this branch (Actions → "Deploy to Pages 📰" → Run workflow →claude/deploy-perms-least-privilege) and confirm thebuildjob — especially theconfigure-pagesstep — is green.github-pagesenvironment restricts deployments tomain, thedeployjob will pause/skip on a non-main run due to environment protection — expected, not a failure of this change. Thebuildresult is what matters in this run.maindeploy.Rollback path: if
configure-pagesfails with403 Resource not accessible by integration, addpages: writeto thebuildjob (or restore the workflow-levelpages: write). The core win — removingid-token: writefrombuild— holds regardless. A failedbuildsimply skipsdeploy, so live Pages stay on the last good version (no broken deploy).Defence-in-depth (repo setting, not in this diff)
Confirm Settings → Environments →
github-pagesrestricts deployments tomain.https://claude.ai/code/session_01977J3EFoxeffXCHS2TE7Kw