Skip to content

chore: add job-level permissions to workflows#1177

Merged
ffflorian merged 3 commits intomainfrom
chore/workflow-permissions
Apr 19, 2026
Merged

chore: add job-level permissions to workflows#1177
ffflorian merged 3 commits intomainfrom
chore/workflow-permissions

Conversation

@ffflorian
Copy link
Copy Markdown
Owner

Summary

This PR moves GitHub Actions workflow permissions from the global workflow level to individual jobs, implementing the principle of least privilege.

Changes

  • Removed global permissions: blocks from workflow roots
  • Added job-level permissions to each job based on its functionality
  • All jobs receive a baseline of contents: read
  • Jobs performing sensitive operations (publishing, releasing, etc.) receive additional write permissions as needed

Permissions Added

  • npm publishing jobs: id-token: write, contents: write
  • Security/CodeQL analysis: security-events: write, packages: read, actions: read
  • Release/git operations: contents: write
  • Read-only jobs: contents: read (baseline)

Benefits

✅ Improved security posture
✅ Follows GitHub Actions best practices
✅ Easier to audit job-specific permissions
✅ Aligns with principle of least privilege

@ffflorian ffflorian force-pushed the chore/workflow-permissions branch 3 times, most recently from 1b0b9e4 to 164a67f Compare April 18, 2026 18:09
@ffflorian ffflorian force-pushed the chore/workflow-permissions branch from 164a67f to c2e0b6f Compare April 18, 2026 18:12
@ffflorian ffflorian merged commit 63bcbee into main Apr 19, 2026
4 checks passed
@ffflorian ffflorian deleted the chore/workflow-permissions branch April 19, 2026 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant