Skip to content

Add token permissions to workflows for OpenSSF Scorecard compliance#2677

Merged
Aryan-sharma11 merged 1 commit into
kubearmor:mainfrom
asmit27rai:token-permission
Jun 29, 2026
Merged

Add token permissions to workflows for OpenSSF Scorecard compliance#2677
Aryan-sharma11 merged 1 commit into
kubearmor:mainfrom
asmit27rai:token-permission

Conversation

@asmit27rai

Copy link
Copy Markdown
Contributor

Summary

Fixes Token-Permissions check on OpenSSF Scorecard (0 → 10).

Score

asmit:~$ scorecard --repo github.com/asmit27rai/KubeArmor --checks Token-Permissions --show-details
Starting [Token-Permissions]
Finished [Token-Permissions]

RESULTS
-------
Aggregate score: 10.0 / 10

Check scores:
|---------|-------------------|--------------------------------|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
|  SCORE  |       NAME        |             REASON             |                      DETAILS                      |                                            DOCUMENTATION/REMEDIATION                                             |
|---------|-------------------|--------------------------------|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions | GitHub workflow tokens follow  | Info: topLevel permissions set to 'read-all':     | https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions |
|         |                   | principle of least privilege   | .github/workflows/ci-codespell.yml:16 Info:       |                                                                                                                  |
|         |                   |                                | topLevel permissions set to 'read-all':           |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-latest-release.yml:26        |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-latest-ubi-release.yml:26    |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-marketplace-release.yml:11   |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-merge-coverage.yaml:9        |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-multiubuntu-push.yml:8       |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-network-tests.yml:26         |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-operator-release.yaml:25     |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-operator-ubi-release.yaml:25 |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-stable-release.yml:10 Info:  |                                                                                                                  |
|         |                   |                                | jobLevel 'contents' permission set to 'read':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-stable-release.yml:19 Warn:  |                                                                                                                  |
|         |                   |                                | jobLevel 'contents' permission set to 'write':    |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-stable-release.yml:66:       |                                                                                                                  |
|         |                   |                                | Verify which permissions are needed and consider  |                                                                                                                  |
|         |                   |                                | whether you can reduce them. (High effort)        |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-systemd-release.yml:15       |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-controllers.yml:12      |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-ginkgo.yml:26           |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-go.yml:22 Info:         |                                                                                                                  |
|         |                   |                                | topLevel permissions set to 'read-all':           |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-helm-charts.yml:16      |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-operator.yaml:21        |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-systemd.yml:20          |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-test-ubi-image.yml:25        |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-trivy-scan-ubi.yaml:19       |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/ci-trivy-scan.yaml:19           |                                                                                                                  |
|         |                   |                                | Info: topLevel permissions set to 'read-all':     |                                                                                                                  |
|         |                   |                                | .github/workflows/codeql.yml:23 Info:             |                                                                                                                  |
|         |                   |                                | topLevel permissions set to 'read-all':           |                                                                                                                  |
|         |                   |                                | .github/workflows/scorecard.yml:18                |                                                                                                                  |
|---------|-------------------|--------------------------------|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------|

@Aryan-sharma11

Copy link
Copy Markdown
Member

@asmit27rai, kindly rebase and squash the commits.

Signed-off-by: asmit27rai <[email protected]>

read permissions to push-stable-version job

Signed-off-by: asmit27rai <[email protected]>

replace the repo name

Signed-off-by: asmit27rai <[email protected]>

use minimal job-level permissions instead of read-all

Signed-off-by: asmit27rai <[email protected]>
@asmit27rai

asmit27rai commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

@Aryan-sharma11 Squashed All The Commits.

@Aryan-sharma11

Copy link
Copy Markdown
Member

LGTM 🚀

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates GitHub Actions workflow GITHUB_TOKEN permissions to align with OpenSSF Scorecard’s Token-Permissions check, aiming to enforce least-privilege defaults while allowing specific jobs to elevate permissions when required.

Changes:

  • Adds/adjusts workflow- and job-level permissions blocks in select workflows.
  • Narrows permissions for ci-stable-release’s release job to contents: read.
  • Cleans up minor YAML formatting (whitespace/quoting) in ci-merge-coverage.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/renovate.yml Adds an explicit top-level permissions block for token-permissions compliance.
.github/workflows/ci-stable-release.yml Adds job-level permissions for the stable release job and removes a stray YAML artifact.
.github/workflows/ci-merge-coverage.yaml Adds top-level and job-level token permissions and normalizes minor YAML formatting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/renovate.yml
Comment thread .github/workflows/ci-merge-coverage.yaml
@Aryan-sharma11 Aryan-sharma11 merged commit 44bc2c3 into kubearmor:main Jun 29, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants