Skip to content

fix: add explicit permissions to GitHub Actions workflows #2252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrrobot47 merged 1 commit into from
Jan 1, 2026
Merged

fix: add explicit permissions to GitHub Actions workflows #2252

mrrobot47 merged 1 commit into from
Jan 1, 2026

Conversation

@rtBot
Copy link
Contributor

@rtBot rtBot commented Jan 1, 2026

Summary

This PR adds explicit permissions: blocks to all GitHub Actions workflows to follow the principle of least privilege and resolve security scanning alerts.

Changes

1. phpcs_on_pull_request.yml

  • Added permissions: contents: read, pull-requests: write
  • Grants minimal permissions needed to checkout code and post PR comments

2. create.yml

  • Added permissions: contents: read
  • Grants read-only access for code checkout and WordPress.org deployment via SVN

3. playwright.yml

  • Added permissions: contents: read
  • Grants read-only access for code checkout and running E2E tests

Security Impact

Resolves: Code scanning alerts #1, #2, #39

Previously, these workflows ran with default GITHUB_TOKEN permissions which could be overly permissive. This change explicitly limits each workflow to only the permissions it needs.

References

@rtBot
fix: add explicit permissions to GitHub Actions workflows
ef86eb7 
- Add permissions block to phpcs_on_pull_request.yml (contents: read, pull-requests: write)
- Add permissions block to create.yml (contents: read)
- Add permissions block to playwright.yml (contents: read)

This follows the principle of least privilege and resolves GitHub code scanning alerts #1, #2, and #39.

Fixes: rtCamp/support#245
Copilot AI review requested due to automatic review settings January 1, 2026 12:48
Copilot AI reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by adding explicit permissions: blocks to three GitHub Actions workflows, following the principle of least privilege and resolving code scanning alerts. Previously, these workflows ran with default GITHUB_TOKEN permissions which could be overly permissive.

  • Added minimal read-only permissions to workflows that only need to checkout code
  • Granted write permissions only where needed (PR comments in PHPCS workflow)
  • Addressed security scanning alerts #1, #2, and #39

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/playwright.yml Added contents: read permission for E2E test workflow that checks out code and uploads test artifacts
.github/workflows/phpcs_on_pull_request.yml Added contents: read and pull-requests: write permissions for PHPCS inspection workflow that posts review comments
.github/workflows/create.yml Added contents: read permission for deployment workflow that checks out code and publishes to WordPress.org via SVN

The changes in this PR are well-structured and follow GitHub's security best practices. All three workflows have been assigned appropriate minimal permissions:

  1. playwright.yml correctly uses contents: read for code checkout and artifact uploads
  2. phpcs_on_pull_request.yml appropriately includes both contents: read and pull-requests: write (note: the workflow uses a custom bot token for posting comments, but declaring the permission is still correct for transparency)
  3. create.yml correctly uses contents: read for deployment operations

No issues were identified in this security-focused improvement.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mrrobot47 mrrobot47 merged commit 734382c into develop Jan 1, 2026
12 checks passed
@mrrobot47 mrrobot47 deleted the fix/workflow-permissions branch January 1, 2026 12:50
@NoumaanAhamed NoumaanAhamed restored the fix/workflow-permissions branch January 1, 2026 12:55
@NoumaanAhamed NoumaanAhamed deleted the fix/workflow-permissions branch January 1, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mrrobot47 mrrobot47 mrrobot47 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rtBot @mrrobot47