Skip to content

ci: scope down GitHub Token permissions #1662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: mainline
Choose a base branch
from
Open

ci: scope down GitHub Token permissions #1662

wants to merge 3 commits into from

Conversation

@AdnaneKhan
Copy link

@AdnaneKhan AdnaneKhan commented Oct 21, 2025

Scope Down GitHub Token Permissions

This PR updates GitHub Actions workflows to use minimal required permissions instead of the default elevated permissions.

Why This Matters

Following the principle of least privilege, workflows should only have the specific permissions they need to function.

Changes

This PR adds explicit permissions: blocks to workflows that currently rely on default permissions, scoping them down to only what's required for their operations.

Please review the changes to ensure the specified permissions match your workflow requirements.

@AdnaneKhan AdnaneKhan marked this pull request as ready for review October 21, 2025 21:23
marofke
marofke requested changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@marofke marofke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your submission! I just have one change I think we'll need to make to ensure we preserve our existing behaviour.

.github/workflows/labeler.yml
paths:
- .github/config/labels.yml

permissions:
Copy link
Contributor

@marofke marofke Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we'll also need pull-request:write since our labels also need to be applied to PRs https://github.com/aws/aws-rfdk/blob/mainline/.github/config/labels.yml

@marofke marofke added the response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 7 days. label Nov 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marofke marofke marofke requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

response-requested Waiting on additional info and feedback. Will move to 'closing-soon' in 7 days.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AdnaneKhan @marofke