Skip to content

- Validate GitHub Actions workflows and add minimum permissions#43

Merged
mtracz merged 1 commit intomainfrom
copilot/validate-github-actions-workflows
Mar 26, 2026
Merged

- Validate GitHub Actions workflows and add minimum permissions#43
mtracz merged 1 commit intomainfrom
copilot/validate-github-actions-workflows

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026

Summary

Validated the GitHub Actions workflow and added minimum required permissions following security best practices.

Changes

  • Added permissions: contents: read at the workflow level in .github/workflows/check.yml

Security improvements

The workflow only needs to read repository contents (for actions/checkout). By explicitly setting permissions: contents: read, we:

  • Prevent the GITHUB_TOKEN from having write access by default
  • Restrict the token to only what is strictly needed
  • Follow the principle of least privilege

Already correct

  • All actions are pinned to full commit SHAs (not mutable tags) — prevents supply-chain attacks ✅
  • runs-on: ubuntu-24.04 uses a specific runner version ✅

Copilot AI requested a review from mtracz March 25, 2026 14:37
@mtracz mtracz marked this pull request as ready for review March 25, 2026 21:27
@mtracz mtracz requested a review from a team March 25, 2026 21:27
@mtracz mtracz merged commit 9eb8f1e into main Mar 26, 2026
2 checks passed
@mtracz mtracz deleted the copilot/validate-github-actions-workflows branch March 26, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KarolZygadlo KarolZygadlo KarolZygadlo approved these changes

@mtracz mtracz Awaiting requested review from mtracz

Assignees

@mtracz mtracz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KarolZygadlo @mtracz