Skip to content

ci: scope stale-repos App token to least privilege#40

Merged
botantler-1[bot] merged 1 commit into
mainfrom
claude/harden-stale-repos-token
Jun 15, 2026
Merged

ci: scope stale-repos App token to least privilege#40
botantler-1[bot] merged 1 commit into
mainfrom
claude/harden-stale-repos-token

Conversation

@devantler

Copy link
Copy Markdown
Contributor

What

Adds least-privilege permission-* inputs to the actions/create-github-app-token step in stale-repository-identifier.yaml. Without them, the installation token inherits all of the App's permissions (zizmor github-app finding).

Scopes the token to exactly what the workflow uses:

  • permission-contents: read + permission-pull-requests: read — stale-repos reads repo/PR/release activity
  • permission-issues: write — opens the stale-report issue

Context

This hardening was written during #39 but landed on that branch after it was squash-merged, so it never reached main (the alert was PR-surfaced only, not active on main). This is the focused follow-up to land it.

🤖 Generated with Claude Code

The create-github-app-token step set no permission-* inputs, so the
installation token inherited blanket permissions (zizmor github-app). Scope
it to what the workflow needs: contents:read + pull-requests:read (stale-repos
activity/PR/release metrics) and issues:write (the report issue).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@botantler-1 botantler-1 Bot enabled auto-merge (squash) June 15, 2026 18:36
@botantler-1 botantler-1 Bot merged commit a9ca463 into main Jun 15, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant