Skip to content

ci: harden GitHub Actions workflow permissions#34

Open
kilbot wants to merge 1 commit into
mainfrom
security/harden-workflow-permissions
Open

ci: harden GitHub Actions workflow permissions#34
kilbot wants to merge 1 commit into
mainfrom
security/harden-workflow-permissions

Conversation

@kilbot

@kilbot kilbot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

CodeQL rule actions/missing-workflow-permissions (CWE-275) fired on two workflow files because they had no top-level permissions: block and therefore inherited the repository default GITHUB_TOKEN scope. This PR adds an explicit, least-privilege top-level permissions: block to each flagged workflow.

Changes

Workflow Permissions block Rationale
.github/workflows/tests.yml contents: read Only checks out the repo and runs PHPUnit / Vitest. No push, tag, release, comment, or deploy; no step uses GITHUB_TOKEN to write. Read is sufficient.
.github/workflows/lint.yml contents: read Only checks out the repo and runs PHPCS. No write of any kind; no step uses GITHUB_TOKEN to write. Read is sufficient.

Both blocks are placed after concurrency: and before jobs:, matching the existing two-space indentation.

Notes

  • Least-privilege and behavior-preserving. The only change is the addition of the permissions: blocks; no job, step, or trigger logic was modified. Both files still parse as valid YAML.
  • Granting contents: read at the top level also implicitly drops every other permission to none, which is the intended hardening.
  • Raised as part of the 2026-06-17 wcpos org security triage.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@kilbot, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 28 seconds. Learn how PR review limits work.

To continue reviewing without waiting, enable usage-based billing in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: wcpos/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: ed4d84da-0540-450b-a79a-7ec9d9ff4aee

📥 Commits

Reviewing files that changed from the base of the PR and between 8fdb274 and a2a8c05.

📒 Files selected for processing (2)
  • .github/workflows/lint.yml
  • .github/workflows/tests.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/harden-workflow-permissions

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant