Skip to content

Add explicit permissions to error-message-lint workflow#41233

Merged
pelikhan merged 2 commits into
mainfrom
copilot/code-scanning-fix-add-permissions
Jun 24, 2026
Merged

Add explicit permissions to error-message-lint workflow#41233
pelikhan merged 2 commits into
mainfrom
copilot/code-scanning-fix-add-permissions

Conversation

Copilot AI commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Without an explicit permissions block, the GITHUB_TOKEN defaults to repository-level settings which may grant overly broad write access (CWE-272: Least Privilege Violation).

Changes

  • .github/workflows/error-message-lint.yml: Added top-level permissions: contents: read — the minimum required for checkout and Go linting
permissions:
  contents: read

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix actions/missing-workflow-permissions in error-message-lint workflow Add explicit permissions to error-message-lint workflow Jun 24, 2026
Copilot AI requested a review from pelikhan June 24, 2026 14:27
@pelikhan pelikhan marked this pull request as ready for review June 24, 2026 14:27
Copilot AI review requested due to automatic review settings June 24, 2026 14:27
@pelikhan pelikhan merged commit a4f067b into main Jun 24, 2026
@pelikhan pelikhan deleted the copilot/code-scanning-fix-add-permissions branch June 24, 2026 14:28

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request tightens the GitHub Actions token scope for the error-message lint workflow by explicitly setting minimal permissions, reducing the risk of unintended write access via the default GITHUB_TOKEN permissions.

Changes:

  • Added a top-level permissions block to restrict GITHUB_TOKEN to contents: read for the workflow.
Show a summary per file
File Description
.github/workflows/error-message-lint.yml Adds explicit least-privilege permissions (contents: read) for the lint workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[code-scanning-fix] Fix actions/missing-workflow-permissions: Add explicit permissions to error-message-lint workflow

3 participants