Skip to content

Tighten GitHub Actions token permissions for Scorecard hardening#626

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/improve-openssf-score
Draft

Tighten GitHub Actions token permissions for Scorecard hardening#626
Copilot wants to merge 2 commits intomainfrom
copilot/improve-openssf-score

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 18, 2026
edited
Loading

Summary

This reduces default GITHUB_TOKEN scope in two workflows to improve the repo’s OpenSSF posture without changing behavior. The change removes an unnecessary broad read grant in the Scorecard workflow and narrows PR validation from PR-write access to the Issues API scope it actually uses.

  • Problem

    • Workflow permissions were broader than required, which weakens least-privilege posture and can negatively affect OpenSSF token-permissions scoring.

  • Change

    • pr-validation.yml
      • Replace pull-requests: write with issues: write
      • Matches the workflow’s actual usage: listing/updating/creating PR comments via github.rest.issues.*
    • scorecard.yml
      • Replace workflow-level permissions: read-all with permissions: {}
      • Keep explicit job-level permissions as the single source of truth

  • Result

    • Smaller default token surface
    • Clearer permission intent
    • No functional workflow change
permissions:
  contents: read
  issues: write
  checks: write

Checklist

  • All checks pass (build, test, lint)
  • Commits follow Conventional Commits
  • PR description uses the standard template (Problem / Change / Verification)

Merge method: Use Rebase and merge to maintain a linear history. The repository enforces rebase-only merges by default.

Create & merge guidance: Use scripts/pr-github.sh create to create PRs, and scripts/pr-github.sh create-and-merge to perform the merge (this script is the authoritative, repo-preferred tool for PR creation and merges). If you need to inspect/check the PR, use GitHub chat tools (github/*) as needed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.securityscorecards.dev
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • scorecard.dev
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Find a meaningful change that improves our openssf score and provides actual value to this repo.

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

@oocx
ci: tighten GitHub workflow token permissions
7e0728c 
Co-authored-by: oocx <584396+oocx@users.noreply.github.com>
Copilot AI changed the title [WIP] Improve OpenSSF score with meaningful changes Tighten GitHub Actions token permissions for Scorecard hardening Mar 18, 2026
Copilot AI requested a review from oocx March 18, 2026 05:58
Copilot finished work on behalf of oocx March 18, 2026 05:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oocx oocx Awaiting requested review from oocx oocx is a code owner

Assignees

@oocx oocx

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oocx