Skip to content

[Code Quality] Add explicit permissions to 14 workflows with default_permissions_on_risky_events #12596

New issue
New issue
Open
Open
[Code Quality] Add explicit permissions to 14 workflows with default_permissions_on_risky_events#12596
Assignees
pelikhancopilot-swe-agent
Labels
automationcode-qualitycookieIssue Monster Loves Cookies!enhancementNew feature or requestsecuritytask-mining
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 29, 2026

Description

Fix security issue where 14 workflows triggered by risky events (issue_comment, pull_request_target) use default (overly broad) permissions. This violates the principle of least privilege and increases attack surface.

Security Impact

When workflows are triggered by risky events, they run with the repository's full context and secrets. Default permissions grant excessive access (contents: write, issues: write, etc.), which could be exploited if the workflow has vulnerabilities.

Affected Workflows

The following 14 workflows need explicit minimal permissions:

  1. ai-moderator.md
  2. archie.md
  3. brave.md
  4. cloclo.md
  5. grumpy-reviewer.md
  6. mergefest.md
  7. pdf-summary.md
  8. plan.md
  9. pr-nitpick-reviewer.md
  10. q.md
  11. scout.md
  12. security-review.md
  13. tidy.md
  14. unbloat-docs.md

Suggested Changes

Add explicit minimal permissions to YAML frontmatter in each workflow:

For Issue/PR Comment Bots:

permissions:
  contents: read
  issues: write
  pull-requests: write

For PR Review Bots:

permissions:
  contents: read
  pull-requests: write

For Read-Only Analysis:

permissions:
  contents: read

Success Criteria

  • All 14 workflows have explicit permissions block
  • Permissions follow principle of least privilege
  • Each workflow tested and functions correctly
  • No permission errors in workflow logs
  • Workflows recompiled (make recompile)
  • Static analysis scan passes (no zizmor warnings)

Implementation Steps

  1. Review each workflow to determine required permissions
  2. Add permissions block to YAML frontmatter
  3. Use most restrictive level (read vs write)
  4. Test workflow execution
  5. Verify no permission errors
  6. Recompile workflows

Benefits

  • Reduces attack surface significantly
  • Follows security best practices
  • Limits damage from potential vulnerabilities
  • Eliminates zizmor security warnings

Priority

High - Security improvement with straightforward fix

Source

Extracted from Static Analysis Report #12558 - Zizmor Security Findings

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 12, 2026, 5:15 PM UTC

Metadata

Metadata

Assignees

Labels

automationcode-qualitycookieIssue Monster Loves Cookies!enhancementNew feature or requestsecuritytask-mining

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions