Skip to content

Comments

Add explicit permissions to GitHub Actions workflows#577

Merged
fain182 merged 1 commit intomainfrom
claude/add-github-actions-permissions-Nz0dO
Feb 22, 2026
Merged

Add explicit permissions to GitHub Actions workflows#577
fain182 merged 1 commit intomainfrom
claude/add-github-actions-permissions-Nz0dO

Conversation

@fain182
Copy link
Collaborator

@fain182 fain182 commented Feb 22, 2026

Summary

This PR adds explicit permissions declarations to GitHub Actions workflows to follow the principle of least privilege and improve security posture.

Key Changes

  • update-contributors.yml: Added contents: write permission (required for the workflow to commit contributor updates)
  • architectural-rules.yml: Added contents: read permission (required for PHPArkitect to analyze the codebase)
  • build.yml: Added contents: read permission (required for build process to access repository contents)
  • cs-fixer.yml: Added contents: read permission (required for PHP CS Fixer to analyze code)

Implementation Details

Each workflow now explicitly declares the minimum required permissions needed for its operations. This follows GitHub's security best practices by:

  • Preventing workflows from requesting unnecessary permissions by default
  • Making permission requirements transparent and auditable
  • Reducing the attack surface in case of workflow compromise

https://claude.ai/code/session_01K1TiMQ8Xb3v2TioBaGgdaE

@claude
Add top-level permissions block to all GitHub Actions workflows
148bd3b 
Apply the principle of least privilege to harden CI/CD security:
- build.yml: contents: read (publish_phar already overrides with write)
- update-contributors.yml: contents: write (needs to commit changes)
- architectural-rules.yml: contents: read
- cs-fixer.yml: contents: read

https://claude.ai/code/session_01K1TiMQ8Xb3v2TioBaGgdaE
@fain182 fain182 marked this pull request as ready for review February 22, 2026 19:00
@codecov
Copy link

codecov bot commented Feb 22, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.90%. Comparing base (636423c) to head (148bd3b).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main     #577   +/-   ##
=========================================
  Coverage     97.90%   97.90%           
  Complexity      664      664           
=========================================
  Files            84       84           
  Lines          1911     1911           
=========================================
  Hits           1871     1871           
  Misses           40       40

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fain182 fain182 merged commit 415aa56 into main Feb 22, 2026
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fain182 @claude