Skip to content

Scope dependabot-repair workflow token permissions to least privilege#43411

Merged
pelikhan merged 3 commits into
mainfrom
copilot/static-analysis-report-2026-07-04
Jul 5, 2026
Merged

Scope dependabot-repair workflow token permissions to least privilege#43411
pelikhan merged 3 commits into
mainfrom
copilot/static-analysis-report-2026-07-04

Conversation

Copilot AI commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

The static-analysis report was flat overall, with one actionable non-FP signal: zizmor excessive-permissions on dependabot-repair.lock.yml (agent job). This change narrows default workflow permissions so the compiled job no longer inherits broad token scope.

  • Problem focus

    • Address the single medium-severity excessive-permissions finding in dependabot-repair while leaving accepted FP clusters unchanged.
  • Workflow source change (.github/workflows/dependabot-repair.md)

    • Replaced top-level permissions: read-all with explicit read-only scopes:
      • actions: read
      • contents: read
      • issues: read
      • pull-requests: read
  • Generated workflow impact (.github/workflows/dependabot-repair.lock.yml)

    • Recompiled output now reflects scoped read permissions on the agent job instead of read-all.
    • Existing write scopes on downstream safe_outputs/conclusion jobs remain explicit and unchanged.
# before
permissions: read-all

# after
permissions:
  actions: read
  contents: read
  issues: read
  pull-requests: read

Copilot AI linked an issue Jul 4, 2026 that may be closed by this pull request
Copilot AI and others added 2 commits July 4, 2026 16:34
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update static analysis report for 2026-07-04 Scope dependabot-repair workflow token permissions to least privilege Jul 4, 2026
Copilot AI requested a review from pelikhan July 4, 2026 16:45
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage — Run §28715668077

Field Value
Category chore
Risk 🟢 Low
Score 70/100
Impact 35/50 — scopes dependabot-repair token to least privilege (security hardening)
Urgency 25/30 — security improvement; +6/-2 YAML, 2 files
Quality 10/20 — draft, no CI yet
Action 🚀 fast_track
Batch pr-batch:new-workflows

Minimal low-risk YAML change adding correct token permission scopes. Recommend undraft → fast-track.

Generated by 🔧 PR Triage Agent · 113.5 AIC · ⌖ 13 AIC · ⊞ 5.5K ·

@pelikhan pelikhan marked this pull request as ready for review July 5, 2026 03:25
Copilot AI review requested due to automatic review settings July 5, 2026 03:25
@pelikhan pelikhan merged commit e9d88df into main Jul 5, 2026
@pelikhan pelikhan deleted the copilot/static-analysis-report-2026-07-04 branch July 5, 2026 03:26

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR narrows the GITHUB_TOKEN permission surface for the dependabot-repair workflow to address a zizmor excessive-permissions signal by replacing read-all with explicit read-only scopes and updating the compiled workflow output accordingly.

Changes:

  • Replaced permissions: read-all with explicit read-only permissions (actions, contents, issues, pull-requests) in the workflow source.
  • Recompiled the generated .lock.yml so the agent job now uses the scoped read permissions.
Show a summary per file
File Description
.github/workflows/dependabot-repair.md Replaces read-all with explicit read-only permission scopes.
.github/workflows/dependabot-repair.lock.yml Updates compiled workflow to apply the narrowed permissions to the agent job.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +9 to +13
permissions:
actions: read
contents: read
issues: read
pull-requests: read
Copilot AI added a commit that referenced this pull request Jul 5, 2026
…ge (#43411)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[static-analysis] Report - 2026-07-04

3 participants