gha/sync-release-branch: Use actions write permission#7102
Conversation
`workflows` is not a supported GITHUB_TOKEN permission key, so GitHub rejects the workflow definition. Use the valid `actions` permission for both jobs. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
The fix correctly replaces the invalid workflows: write permission key with a valid one, unblocking the workflow. However, both jobs only perform git push operations that require contents: write (already present) — actions: write grants substantially broader capabilities than needed (canceling runs, deleting logs, managing secrets). The least-privilege fix would be to remove the second permission entry entirely.
| permissions: | ||
| contents: write | ||
| workflows: write | ||
| actions: write |
There was a problem hiding this comment.
[medium/security] actions: write is broader than required for this job's git-only operations
Both this job's steps (git push origin HEAD:refs/heads/$temporary_branch) only require contents: write, which is already granted. The actions: write scope was added as a replacement for the previously-invalid workflows: write, but it grants significantly more than is needed:
- Cancel or re-trigger workflow runs
- Delete workflow run logs and artifacts
- Manage repository-level Actions secrets
- Manage self-hosted runner group assignments
If this workflow were compromised (e.g. via a malicious pinned action), the actions: write token could be used to tamper with other workflow runs or wipe CI audit logs.
Suggested fix: Remove actions: write entirely — contents: write alone is sufficient for all git operations this job performs.
| actions: write | |
| permissions: | |
| contents: write |
| Confidence | Score |
|---|---|
| 🟡 moderate | 75/100 |
| permissions: | ||
| contents: write | ||
| workflows: write | ||
| actions: write |
There was a problem hiding this comment.
[medium/security] actions: write is broader than required for this job's git-only operations
The push-release-branch job only performs git push origin FETCH_HEAD:$RELEASE_BRANCH and git push origin --delete $TEMPORARY_BRANCH — both exclusively need contents: write, which is already present. The actions: write scope was added as a substitute for the previously-invalid workflows: write, but it confers unnecessary capabilities:
- Cancel or re-trigger workflow runs
- Delete workflow run logs and artifacts
- Manage repository-level Actions secrets
This job runs in a docker-releases environment, which may have elevated trust — keeping permissions minimal here is particularly important.
Suggested fix: Remove actions: write entirely — contents: write alone is sufficient.
| actions: write | |
| permissions: | |
| contents: write |
| Confidence | Score |
|---|---|
| 🟡 moderate | 75/100 |
There was a problem hiding this comment.
Yeah not sure if that will work, but Kevin said there's a chance and I trust him!
There was a problem hiding this comment.
Yeah not sure if that will work, but Kevin said there's a chance and I trust him!
There was a problem hiding this comment.
Fair enough to be cautious! The good news is that actions: write only governs workflow run management (canceling runs, deleting logs/artifacts, and managing secrets) — none of which this job attempts. Since the actual operations are just git push origin FETCH_HEAD:$RELEASE_BRANCH and git push origin --delete $TEMPORARY_BRANCH, they only exercise the repository's Git layer, which is covered by contents: write.
If there's concern about breaking the workflow, you could test it on a separate PR or branch first. But based on the code here, contents: write alone should be sufficient. Happy to clarify further if you'd like!
workflowsis not a supported GITHUB_TOKEN permission key, so GitHub rejects the workflow definition. Use the validactionspermission for both jobs.