Skip to content

chore(build): Clean up GitHub Actions workflow permissions for OpenSSF Scorecard compliance #182

Closed
#183
Closed
chore(build): Clean up GitHub Actions workflow permissions for OpenSSF Scorecard compliance#182
#183
Labels
github-actionsGitHub Actions workflowssecuritySecurity-related changes or concerns
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Jan 16, 2026

Summary

Clean up GitHub Actions workflow permissions to comply with OpenSSF Scorecard Token-Permissions requirements.

Changes Required

High Priority

  • Remove unused pull-requests: write from security-scan.yml

Medium Priority

  • Scope id-token: write to publish job only in extension-publish.yml
  • Scope id-token: write to publish job only in extension-publish-prerelease.yml

Low Priority

  • Remove duplicate top-level permissions from 11 workflows
  • Add explicit job-level permissions to extension-package.yml

Success Criteria

  • All workflows pass CI validation
  • Write permissions scoped to job-level only
  • Improved OpenSSF Scorecard Token-Permissions check

Metadata

Metadata

Assignees

No one assigned

    Labels

    github-actionsGitHub Actions workflowssecuritySecurity-related changes or concerns

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions