chore(ci): set default workflow permissions to contents: read#45961
Merged
Conversation
Add an explicit top-level `permissions:` block to every workflow that
did not have one. The new default grants only `contents: read` so that
the auto-generated `GITHUB_TOKEN` available to each job starts at the
minimum needed to checkout the repo; jobs that need more (e.g. issue/PR
comments, status updates, OIDC token, packages write) already declare
their own job-level `permissions:` overrides which are preserved.
Also tighten `pr-repo-consistency-bot.yml` and `self-comment-ci.yml`
from `permissions: read-all` to `permissions: { contents: read }`.
Zizmor 1.24.1: 116 `warning[excessive-permissions]` -> 0. Closes the
matching CodeQL `actions/missing-workflow-permissions` alerts.
Behavior: no change. Workflows that were implicitly relying on the
default `GITHUB_TOKEN` write permissions (issue comments, statuses,
deployments, ...) already had job-level overrides; this change only
removes the implicit-write hammock for jobs that did not need it.
ArthurZucker
approved these changes
May 14, 2026
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
jp1924
pushed a commit
to jp1924/transformers
that referenced
this pull request
May 18, 2026
…gface#45961) Add an explicit top-level `permissions:` block to every workflow that did not have one. The new default grants only `contents: read` so that the auto-generated `GITHUB_TOKEN` available to each job starts at the minimum needed to checkout the repo; jobs that need more (e.g. issue/PR comments, status updates, OIDC token, packages write) already declare their own job-level `permissions:` overrides which are preserved. Also tighten `pr-repo-consistency-bot.yml` and `self-comment-ci.yml` from `permissions: read-all` to `permissions: { contents: read }`. Zizmor 1.24.1: 116 `warning[excessive-permissions]` -> 0. Closes the matching CodeQL `actions/missing-workflow-permissions` alerts. Behavior: no change. Workflows that were implicitly relying on the default `GITHUB_TOKEN` write permissions (issue comments, statuses, deployments, ...) already had job-level overrides; this change only removes the implicit-write hammock for jobs that did not need it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add an explicit top-level
permissions:block to every workflow that did not have one. The new default grants onlycontents: read, so each job's auto-generatedGITHUB_TOKENstarts at the minimum needed to checkout the repo. Jobs that need more (issue/PR comments, statuses, OIDC token, packages write, etc.) already declare job-levelpermissions:overrides; those are preserved.Also tightens
pr-repo-consistency-bot.ymlandself-comment-ci.ymlfrompermissions: read-alltopermissions: { contents: read }.read-allgrants every readonly scope (issues, packages, actions, deployments, ...), which is broader than these workflows need.Impact
warning[excessive-permissions]-> 0 across.github/workflows/.actions/missing-workflow-permissionsalerts that started firing after the SHA-pinning rescan.Reviewer notes
permissions:+contents: read+ blank). The tworead-allreplacements are 1-line edits.benchmark.ymlandcheck_tiny_models.ymlhad CRLF line endings onmain; both committed with their original CRLF preserved.secrets-inherit,artipacked,unpinned-images,dangerous-triggers) are tracked for follow-up PRs.