ci: least-privilege permissions for all workflows + harden spellcheck install#1451
Open
bmehta001 wants to merge 2 commits into
Open
ci: least-privilege permissions for all workflows + harden spellcheck install#1451bmehta001 wants to merge 2 commits into
bmehta001 wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds top-level least-privilege permissions: { contents: read } blocks to six CI workflows that previously inherited the repo default GITHUB_TOKEN scope. None of these workflows post comments, publish releases/packages, or write via the token, so contents: read is sufficient for actions/checkout. This mirrors the hardening pattern from PR #1450 (spellcheck) and modules PR #320.
Changes:
- Add
permissions: { contents: read }top-level block to six workflows. - Add explanatory comments referencing the CodeQL
actions/missing-workflow-permissionsrule. - No changes to triggers, jobs, runners, or steps.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/build-android.yml | Adds least-privilege permissions block before concurrency: |
| .github/workflows/build-ios-mac.yml | Adds least-privilege permissions block before concurrency: |
| .github/workflows/build-posix-latest.yml | Adds least-privilege permissions block before concurrency: |
| .github/workflows/build-ubuntu-2204.yml | Adds least-privilege permissions block before concurrency: |
| .github/workflows/build-windows-vs2022.yaml | Adds least-privilege permissions block before jobs: |
| .github/workflows/test-win-latest.yml | Adds least-privilege permissions block before concurrency: |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adds top-level `permissions: { contents: read }` to the six workflow
files on `main` that lacked an explicit GITHUB_TOKEN scope:
- .github/workflows/build-android.yml
- .github/workflows/build-ios-mac.yml
- .github/workflows/build-posix-latest.yml
- .github/workflows/build-ubuntu-2204.yml
- .github/workflows/build-windows-vs2022.yaml
- .github/workflows/test-win-latest.yml
All six only check out source and run builds or tests; none post PR
comments, deploy artifacts via the token, or otherwise need write
scopes. `actions/upload-artifact@v4` (build-android.yml) uses its own
per-run SAS URL and does not require GITHUB_TOKEN scopes.
Carry-forward from PR microsoft#1450, which hardened spellcheck.yml the same
way, and mirrors the analogous modules-repo commit decc96501. Each
file gets an explanatory comment naming the CodeQL rule it satisfies
(actions/missing-workflow-permissions) if Actions analysis is later
enabled in this repo's code-scanning config. No behavior change.
Already-permissioned workflows (codeql-analysis.yml, deploy-docs-pages.yml)
are not touched.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Three hardening fixes for .github/workflows/spellcheck.yml, ported from the same audit applied to the sister modules repo: 1. Add top-level 'permissions: contents: read'. Without an explicit block, the GITHUB_TOKEN inherits the repo default (typically read+write across most APIs), which is far more than misspell needs. misspell only walks .md/.txt/lib/tests files and prints typos to stdout; it never comments on PRs, posts statuses, or writes packages. This also satisfies CodeQL rule 'actions/missing-workflow-permissions' if Actions analysis is enabled here later (it isn't in the current codeql-analysis.yml matrix, but no reason to wait for that). 2. Replace the unpinned bootstrap install with a pinned tarball download. The prior 'curl https://git.io/misspell | sh' pattern executed a shell script from the master branch of an external repo via a git.io redirect — a supply-chain risk that also made CI non-reproducible. Now we download a specific release artifact (v0.3.4) directly from GitHub releases. 3. Verify the tarball SHA256 against the published checksum 'afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5' (linux_64bit). Any tampering or unexpected upstream change will fail CI rather than silently execute. Scope of misspell unchanged: still scans .md, .txt, examples/**, all of lib/ (excluding json.hpp), and tests/**. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bmehta001
force-pushed
the
bhamehta/workflow-permissions-hardening
branch
from
974b610 to
a4885a4
Compare
bmehta001
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an explicit least-privilege
permissions:block to every workflow in.github/workflows/that previously lacked one, and hardensspellcheck.yml'smisspellinstall.(Originally two PRs — #1451 for the 6 build/test workflows, #1450 for the spellcheck hardening. Folded into this one PR per maintainer request to ease review.)
Why
permissions:block, workflows inherit the repo default scope (typically read+write on most APIs), which is far broader than any of these jobs need. None of the affected workflows post PR comments, deploy artifacts viaGITHUB_TOKEN, or otherwise write through it.actions/missing-workflow-permissionsCodeQL findings if Actions analysis is later added to the matrix here (already part of the modules-repo CodeQL config).8d26e4882anddecc96501on PRmicrosoft/cpp_client_telemetry_modules#320).spellcheck.ymlinstall was a supply-chain risk. The priorcurl https://git.io/misspell | shpattern executed a shell script from themasterbranch of an external repo via agit.ioredirect — both non-reproducible and trivially modifiable upstream without notice.Changes
Workflows getting a new
permissions: contents: readblock (6 files)contents: readis sufficientbuild-android.ymlactions/upload-artifact@v4uses its own per-run SAS URL, not GITHUB_TOKENbuild-ios-mac.ymlbuild-posix-latest.ymlbuild-ubuntu-2204.ymlbuild-windows-vs2022.yamltest-win-latest.ymlEach file gets a short explanatory comment naming the CodeQL rule it satisfies.
spellcheck.yml(1 file) — three fixespermissions: contents: read.misspellonly reads.md/.txt/examples/**/lib/**(excludingjson.hpp) /tests/**and prints typos to stdout.curl https://git.io/misspell | shwith a pinned tarball download ofmisspell v0.3.4from GitHub releases.afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5, linux_64bit). Any tampering or unexpected upstream change fails CI rather than silently running.The set of files scanned by
misspellis unchanged.Workflows deliberately NOT touched
codeql-analysis.ymlpermissions:blockdeploy-docs-pages.ymlpermissions:block (and legitimately needspages: write/id-token: write)Testing
Build for Android > Checkoutstep succeeded in CI on the originalbhamehta/workflow-permissions-hardeningpush → confirmscontents: readis sufficient foractions/checkout@v4.bhamehta/spellcheck-hardeningpush passed end-to-end with the pinned tarball + SHA verification.CI signal on this branch (after consolidation)
The two PRs separately reproduced two pre-existing infra flakes that are unrelated to the changes here:
Analyze (cpp)(CodeQL) has been timing out acrossmainand most PRs (4–6 h runtimes); see runs26551009149,26302618182,26393096056onmain. The error isCodeQL is out of memoryon the Windows runner — a runner-sizing/CodeQL-version issue, not a code defect.build (release, ubuntu-latest)hit a 6 h job-timeout cancellation on one of the prior runs; the same path passed on the other PR's run.Both are well-known infra flakes; not caused by anything in this diff. Happy to re-run after consolidation if needed.