Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/sync-release-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
runs-on: ubuntu-24.04
permissions:
contents: write
workflows: write
actions: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium/security] actions: write is broader than required for this job's git-only operations

Both this job's steps (git push origin HEAD:refs/heads/$temporary_branch) only require contents: write, which is already granted. The actions: write scope was added as a replacement for the previously-invalid workflows: write, but it grants significantly more than is needed:

  • Cancel or re-trigger workflow runs
  • Delete workflow run logs and artifacts
  • Manage repository-level Actions secrets
  • Manage self-hosted runner group assignments

If this workflow were compromised (e.g. via a malicious pinned action), the actions: write token could be used to tamper with other workflow runs or wipe CI audit logs.

Suggested fix: Remove actions: write entirely — contents: write alone is sufficient for all git operations this job performs.

Suggested change
actions: write
permissions:
contents: write
Confidence Score
🟡 moderate 75/100

outputs:
base_sha: ${{ steps.sync.outputs.base_sha }}
has_changes: ${{ steps.sync.outputs.has_changes }}
Expand Down Expand Up @@ -120,7 +120,7 @@ jobs:
environment: docker-releases
permissions:
contents: write
workflows: write
actions: write

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium/security] actions: write is broader than required for this job's git-only operations

The push-release-branch job only performs git push origin FETCH_HEAD:$RELEASE_BRANCH and git push origin --delete $TEMPORARY_BRANCH — both exclusively need contents: write, which is already present. The actions: write scope was added as a substitute for the previously-invalid workflows: write, but it confers unnecessary capabilities:

  • Cancel or re-trigger workflow runs
  • Delete workflow run logs and artifacts
  • Manage repository-level Actions secrets

This job runs in a docker-releases environment, which may have elevated trust — keeping permissions minimal here is particularly important.

Suggested fix: Remove actions: write entirely — contents: write alone is sufficient.

Suggested change
actions: write
permissions:
contents: write
Confidence Score
🟡 moderate 75/100

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah not sure if that will work, but Kevin said there's a chance and I trust him!

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah not sure if that will work, but Kevin said there's a chance and I trust him!

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough to be cautious! The good news is that actions: write only governs workflow run management (canceling runs, deleting logs/artifacts, and managing secrets) — none of which this job attempts. Since the actual operations are just git push origin FETCH_HEAD:$RELEASE_BRANCH and git push origin --delete $TEMPORARY_BRANCH, they only exercise the repository's Git layer, which is covered by contents: write.

If there's concern about breaking the workflow, you could test it on a separate PR or branch first. But based on the code here, contents: write alone should be sufficient. Happy to clarify further if you'd like!

timeout-minutes: 10
steps:
- name: Checkout
Expand Down
Loading