Skip to content

Extend explicit workflow permissions to 19 check/lint/quickstart workflows#17172

Open
arpitjain099 wants to merge 1 commit into
microsoft:3.0from
arpitjain099:ci/declare-permissions
Open

Extend explicit workflow permissions to 19 check/lint/quickstart workflows#17172
arpitjain099 wants to merge 1 commit into
microsoft:3.0from
arpitjain099:ci/declare-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 13, 2026

Following up on #7282, which made a first pass at declaring explicit permissions: blocks in this repo. Since then several new check/lint workflows have been added and the 2.0 quickstart was renamed without picking up the same hardening, so most of the validators in .github/workflows/ are once again running with the repository default token scope.

This patch adds a top-level

permissions:
  contents: read

to 19 workflows:

check-circular-deps.yml            check-package-cgmanifest.yml      check-spec.yml
check-clean-stage.yml              check-package-update-gate.yml     check-srpm-duplicates.yml
check-entangled-specs.yml          check-source-signatures.yml       check-static-glibc.yml
check-files.yml                    go-test-coverage.yml              lint-specs.yml
check-kernel-configs.yml           merge-conflict-check.yml          quickstart_2.0.yml
check-license-map.yml              verify-osguard-imageconfigs.yml
check-manifests.yml                check-package-builds.yml

All 19 fire on push / pull_request (or schedule / workflow_dispatch for quickstart_2.0.yml), check out the repo, and run spec / package / lint validators. None push commits, create releases, or call write APIs.

The two workflows that already declare permissions: {} with pull_request_target (check-rendered-specs-stub.yml, spec-review-stub.yml) are intentionally left alone — they have a stub-plus-reusable architecture with explicit scope notes and don't need a different default.

YAML validated locally with PyYAML before commit; diff is +57 lines, no other changes.

@arpitjain099
Extend explicit workflow permissions to 19 check/lint/quickstart work…
0600f12 
…flows

PR microsoft#7282 made a first pass at making GitHub Actions permissions explicit in
this repo. Since then several check/lint workflows and the 2.0 quickstart
have been added without permissions blocks (the old hardened files were
deleted or renamed, e.g. check-livepatches.yml and quickstart_1.0.yml).

All 19 workflows in this PR are pure CI: they fire on push/pull_request (or
schedule/workflow_dispatch for the quickstart), check out the repo, and run
spec/package/lint validators. None push commits, create releases, or call
write APIs, so 'contents: read' is the correct minimum.

The two workflows that intentionally use 'permissions: {}' with
pull_request_target (check-rendered-specs-stub.yml, spec-review-stub.yml)
are not touched — those have a deliberate stub+reusable architecture and
already declare scope correctly.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 13, 2026 06:34
@microsoft-github-policy-service microsoft-github-policy-service Bot added the 3.0 PRs Destined for 3.0 label May 13, 2026
@arpitjain099 arpitjain099 force-pushed the ci/declare-permissions branch from 86e8397 to 0600f12 Compare May 13, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0 PRs Destined for 3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099