[BRE-1333] Added permissions to app token generation step

[gitclonebrian]

🎟️ Tracking

BRE-1333

📔 Objective

Added permissions to app token generation step to limit scope of token. Also removed unnecessary permission from bump-version job.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.51%. Comparing base (e7b3593) to head (64da1a4).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #212   +/-   ##
=======================================
  Coverage   48.51%   48.51%           
=======================================
  Files          36       36           
  Lines         907      907           
  Branches       73       73           
=======================================
  Hits          440      440           
  Misses        437      437           
  Partials       30       30           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – 23bac77b-dccf-4666-9e7e-a9ddd25fead8

Great job! No new security vulnerabilities introduced in this pull request

[claude]

Claude finished @gitclonebrian's task —— View job

---

Code Review Complete

• Read changed workflow files
• Evaluate PR title and description
• Review permission changes
• Post comprehensive review findings

---

Summary

This PR implements proper least-privilege permission scoping for GitHub App tokens in CI/CD workflows. The changes correctly add explicit permissions to token generation steps and remove unnecessary permission inheritance from job-level configurations.

PR Title and Description Quality

💭 The PR title and description are clear and accurate. The objective appropriately explains both the addition of permissions to token generation and the removal of unnecessary permissions from the bump-version job.

Findings

Finding 1: The permission changes correctly implement least-privilege access for GitHub App tokens.

Finding 2: Removal of secrets: inherit and id-token: write from bump-version job call is appropriate since the called workflow defines its own permissions.

Finding 3: The permission-actions: write comment clarifies intent but could be more precise.

Finding 4: The permission-contents: write addition enables the token to push commits as intended.

Detailed Analysis

Security and Best Practices

Positive observations:

1. Explicit permission scoping: Adding permission-actions: write in pack-and-release.yml:184 limits the GitHub App token to only dispatch workflows in the devops repository, following least-privilege principles.

2. Unnecessary permission removal: Removing id-token: write from the bump-version job call (pack-and-release.yml:206) is correct because the called workflow already defines id-token: write at version-bump.yml:20 for Azure login.

3. Secrets inheritance cleanup: Removing secrets: inherit eliminates unnecessary secret exposure since the called workflow obtains secrets via Azure Key Vault with its own identity.

4. Empty permissions object: Using permissions: {} (pack-and-release.yml:206) explicitly denies all permissions to the job caller, preventing accidental permission escalation.

5. Contents permission for commits: Adding permission-contents: write (version-bump.yml:46) enables the token to push version bump commits.

Minor Observations

🎨 Comment precision (.github/workflows/pack-and-release.yml:184): The comment # for dispatching workflows could be more specific: # for dispatching workflows in bitwarden/devops repository to match the explicit repositories: devops parameter on line 183.

Good Practices Observed

• Principle of least privilege applied throughout
• Clear inline comments documenting permission purpose
• Proper separation of concerns between caller and callee workflows

Action Items

None. The PR correctly implements the stated objective with appropriate security controls. The existing approval from @djsmith85 is warranted.

---