Skip to content

ci: add least-privilege workflow permissions (CodeQL)#604

Closed
jhamon wants to merge 1 commit into
mainfrom
security/ci-workflow-permissions
Closed

ci: add least-privilege workflow permissions (CodeQL)#604
jhamon wants to merge 1 commit into
mainfrom
security/ci-workflow-permissions

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

What

Adds a top-level permissions: contents: read block to each workflow flagged by the actions/missing-workflow-permissions CodeQL rule.

Why

CodeQL flagged 11 actions/missing-workflow-permissions alerts across four workflows. Without an explicit permissions: block, jobs run with the repository's default GITHUB_TOKEN scopes, which can be broader than needed.

All four workflows are read-only — they check out the repo, run notebooks, or run a version census. None push commits, tags, releases, or comments. contents: read is sufficient.

Files

  • client-versions.yaml (1 job)
  • pr.yaml (3 jobs — reusable-workflow caller)
  • test-notebooks-all.yaml (3 jobs)
  • test-notebooks-changed.yaml (4 jobs)

Verification

  • YAML parses (yaml.safe_load); each file has permissions: {contents: read}.

Resolves 11 code-scanning alerts. Mirrors the SDK-tier fix (go-pinecone #146, pinecone-text #99, pinecone-java-client #224).

Refs PIN-24.


Note

Low Risk
Workflow-only scope tightening for read-only CI; risk is low unless a step later needs broader token permissions (not indicated in these workflows).

Overview
Adds an explicit top-level permissions: contents: read block (with a short comment) to four GitHub Actions workflows: client version reporting, PR (caller for lint/notebooks/client-versions), test all notebooks, and test changed notebooks.

This narrows the default GITHUB_TOKEN scope for those runs to repo read access only, addressing CodeQL actions/missing-workflow-permissions alerts. Behavior is unchanged for these read-only flows (checkout, lint, notebook runs, version census); no jobs in this diff gain write, comment, or release permissions.

Reviewed by Cursor Bugbot for commit d169d2d. Bugbot is set up for automated code reviews on this repo. Configure here.

Adds a top-level `permissions: contents: read` block to each workflow
flagged by the actions/missing-workflow-permissions CodeQL rule. All four
workflows are read-only (checkout, run notebooks, version census); none
push to the repo, so contents: read is sufficient.

Resolves 11 code-scanning alerts. Mirrors the SDK-tier fix (go-pinecone
#146, pinecone-text #99, pinecone-java-client #224).

Refs PIN-24.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jhamon

jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator Author

Superseded by #603 which covers the same changes.

@jhamon jhamon closed this Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant