Skip to content

Add least privilege permissions to GitHub Actions workflows#3826

Merged
kennykerr merged 2 commits intomasterfrom
copilot/update-github-actions-permissions
Dec 1, 2025
Merged

Add least privilege permissions to GitHub Actions workflows#3826
kennykerr merged 2 commits intomasterfrom
copilot/update-github-actions-permissions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 1, 2025
edited
Loading

What's this all about?

Adds explicit permissions: contents: read to all workflow files that were missing permission declarations. This enforces least privilege by ensuring CI workflows only have read access to repository contents.

Updated (14 files): clippy, cross, doc, fmt, gen, lib, linux, miri, msrv, no-default-features, no_std, publish, slim_errors, test

Unchanged: web.yml already has appropriate permissions (contents: read, pages: write, id-token: write) for GitHub Pages deployment.

Fixes: #3572

Original prompt

Update all GitHub Actions workflow files in .github/workflows/ to explicitly set permissions to the minimum required. For standard test, lint, and documentation jobs, set:

permissions:
contents: read

If any workflow requires more permissive settings (such as 'publish.yml' for package publishing), only widen permissions as absolutely necessary. Do not reduce permissions if a workflow is already overly restrictive compared to the jobs' requirements. Add or update the permissions: key at the top level of each YAML workflow file, just after name: and on: if present.

The files to update are:

  • .github/workflows/clippy.yml
  • .github/workflows/cross.yml
  • .github/workflows/doc.yml
  • .github/workflows/fmt.yml
  • .github/workflows/gen.yml
  • .github/workflows/lib.yml
  • .github/workflows/linux.yml
  • .github/workflows/miri.yml
  • .github/workflows/msrv.yml
  • .github/workflows/no-default-features.yml
  • .github/workflows/no_std.yml
  • .github/workflows/publish.yml
  • .github/workflows/slim_errors.yml
  • .github/workflows/test.yml
  • .github/workflows/web.yml

Describe in the PR why least privilege permissions are being set and highlight any workflows where broader permissions are still necessary.

This pull request was created as a result of the following prompt from Copilot chat.

Update all GitHub Actions workflow files in .github/workflows/ to explicitly set permissions to the minimum required. For standard test, lint, and documentation jobs, set:

permissions:
contents: read

If any workflow requires more permissive settings (such as 'publish.yml' for package publishing), only widen permissions as absolutely necessary. Do not reduce permissions if a workflow is already overly restrictive compared to the jobs' requirements. Add or update the permissions: key at the top level of each YAML workflow file, just after name: and on: if present.

The files to update are:

  • .github/workflows/clippy.yml
  • .github/workflows/cross.yml
  • .github/workflows/doc.yml
  • .github/workflows/fmt.yml
  • .github/workflows/gen.yml
  • .github/workflows/lib.yml
  • .github/workflows/linux.yml
  • .github/workflows/miri.yml
  • .github/workflows/msrv.yml
  • .github/workflows/no-default-features.yml
  • .github/workflows/no_std.yml
  • .github/workflows/publish.yml
  • .github/workflows/slim_errors.yml
  • .github/workflows/test.yml
  • .github/workflows/web.yml

Describe in the PR why least privilege permissions are being set and highlight any workflows where broader permissions are still necessary.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@kennykerr
Add least privilege permissions to GitHub Actions workflows
af78861 
Set explicit `permissions: contents: read` on 14 workflow files to enforce
the principle of least privilege. This reduces the attack surface by ensuring
workflows only have the minimum permissions required for their tasks.

Workflows updated:
- clippy.yml, cross.yml, doc.yml, fmt.yml, gen.yml, lib.yml, linux.yml,
  miri.yml, msrv.yml, no-default-features.yml, no_std.yml, publish.yml,
  slim_errors.yml, test.yml

web.yml is unchanged as it already has appropriate permissions for GitHub
Pages deployment (contents: read, pages: write, id-token: write).

Co-authored-by: kennykerr <9845234+kennykerr@users.noreply.github.com>
Copilot AI changed the title [WIP] Update GitHub Actions workflows to set minimum permissions Add least privilege permissions to GitHub Actions workflows Dec 1, 2025
Copilot AI requested a review from kennykerr December 1, 2025 15:55
@kennykerr kennykerr marked this pull request as ready for review December 1, 2025 15:59
@kennykerr kennykerr merged commit eb27a6e into master Dec 1, 2025
29 checks passed
@kennykerr kennykerr deleted the copilot/update-github-actions-permissions branch December 1, 2025 16:44
@cjee21
Copy link
Copy Markdown

cjee21 commented Jan 9, 2026
edited
Loading

Why did Copilot link an unrelated issue in this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kennykerr kennykerr kennykerr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kennykerr kennykerr

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cannot find type IMarshal in module windows_core::imp

3 participants

@cjee21 @kennykerr