[Code Quality] Fix default permissions on workflows with risky event triggers #12791
Description
Description
14 workflows are triggered by risky events (issue_comment, pull_request_target) but use default permissions (read-write access to most resources). This violates the principle of least privilege and exposes the repository to potential privilege escalation attacks.
Identified by
Poutine supply chain security scanner in Static Analysis Report #12756
Affected Workflows
The following workflows need explicit minimal permissions added to their frontmatter:
.github/workflows/ai-moderator.md.github/workflows/archie.md.github/workflows/brave.md.github/workflows/cloclo.md.github/workflows/grumpy-reviewer.md.github/workflows/mergefest.md.github/workflows/pdf-summary.md.github/workflows/plan.md.github/workflows/pr-nitpick-reviewer.md.github/workflows/q.md.github/workflows/scout.md.github/workflows/security-review.md.github/workflows/tidy.md.github/workflows/unbloat-docs.md
Required Changes
For each workflow above, add explicit minimal permissions to the frontmatter YAML:
Before:
---
name: Example Workflow
on:
issue_comment:
types: [created]
---After:
---
name: Example Workflow
on:
issue_comment:
types: [created]
permissions:
contents: read
issues: write
pull-requests: write
---Common Permission Patterns
- For workflows that read data and create reports:
contents: read, issues: write, pull-requests: read - For workflows that respond to comments:
contents: read, issues: write, pull-requests: write - For workflows that modify code:
contents: write, issues: write, pull-requests: write
Success Criteria
- All 14 workflows have explicit
permissions:section in frontmatter - Permissions follow principle of least privilege
- Poutine warning
default_permissions_on_risky_eventsis resolved - All workflows compile without errors after changes
Priority
High - Security vulnerability that should be addressed promptly
References
AI generated by Discussion Task Miner - Code Quality Improvement Agent
- expires on Feb 13, 2026, 5:15 PM UTC