Skip to content

fix: add explicit permissions to GitHub Actions workflows#414

Merged
JoshMock merged 1 commit into
mainfrom
fix/explicit-github-token-permissions
Jun 16, 2026
Merged

fix: add explicit permissions to GitHub Actions workflows#414
JoshMock merged 1 commit into
mainfrom
fix/explicit-github-token-permissions

Conversation

@flobernd

@flobernd flobernd commented Jun 16, 2026

Copy link
Copy Markdown
Member

InfoSec is changing GITHUB_TOKEN default permissions from read/write to read-only on July 15th. This PR adds explicit permissions blocks to workflows that require write access.

Changes

Workflow Fix applied
auto-pr.yml Added contents: write, pull-requests: write, issues: read — delegates to reusable workflow that creates PRs
codeql.yml Added permissions: {} at top level — job-level security-events: write already present, top-level deny-all is best practice
docs-preview-cleanup.yml Added permissions: {} at top level — job-level permissions already scoped correctly
regenerate-notice.yml Added permissions: {} at top level — job-level contents: write already present for git push
resolve-conflicts.yml Added contents: write, pull-requests: write, issues: read — delegates to reusable workflow that resolves backport conflicts

References

@flobernd
fix: add explicit permissions to GitHub Actions workflows
0440608 
InfoSec is changing GITHUB_TOKEN default permissions from read/write
to read-only on July 15th. Adding explicit permissions blocks to all
workflows that require write access.
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 5 0 0 0.24s
✅ COPYPASTE jscpd yes no no 10.74s
✅ REPOSITORY gitleaks yes no no 59.68s
✅ REPOSITORY git_diff yes no no 0.61s
✅ REPOSITORY secretlint yes no no 30.9s
✅ REPOSITORY trivy yes no no 18.58s
✅ YAML yamllint 5 0 0 0.92s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@MattDevy MattDevy mentioned this pull request Jun 16, 2026
Closed
@JoshMock JoshMock merged commit 252fd44 into main Jun 16, 2026
24 of 26 checks passed
@JoshMock JoshMock deleted the fix/explicit-github-token-permissions branch June 16, 2026 20:08
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot mentioned this pull request Jun 16, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoshMock JoshMock JoshMock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flobernd @JoshMock