Skip to content

ci: add least-privilege permissions to GitHub Actions workflows#4157

Open
peter-matkovski wants to merge 4 commits into
developfrom
ci/workflow-least-privilege-permissions
Open

ci: add least-privilege permissions to GitHub Actions workflows#4157
peter-matkovski wants to merge 4 commits into
developfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 6, 2026

Copy link
Copy Markdown

Summary

  • Add explicit workflow-level permissions blocks for CodeQL actions/missing-workflow-permissions alerts.
  • Minimal scopes only; actions: write where gh workflow run / cancel is used.

Linear

Test plan

  • CI passes
  • Code scanning alerts close after merge

Summary by CodeRabbit

  • Chores
    • Tightened GitHub Actions security by adding explicit, least-privilege workflow-level permissions.
    • Applied consistent read-only access (and limited additional scopes where required) across checks, release, cron, snapshot recording, metrics, smoke tests, code analysis, testflight, and copyright updates.
    • Kept workflow triggers and job logic unchanged while reducing the default token’s repository access.

Restrict default GITHUB_TOKEN scope per workflow. Write scopes granted only
where jobs dispatch/cancel workflows, publish packages, or label issues/PRs.

Refs: APPSEC-164
@peter-matkovski peter-matkovski requested a review from a team as a code owner July 6, 2026 10:05
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0c1cedb-22c5-428c-b12e-478efc95fa13

📥 Commits

Reviewing files that changed from the base of the PR and between 7263f58 and 78cf17d.

📒 Files selected for processing (2)
  • .github/workflows/release-merge.yml
  • .github/workflows/release-start.yml
💤 Files with no reviewable changes (1)
  • .github/workflows/release-start.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/release-merge.yml

📝 Walkthrough

Walkthrough

This pull request adds explicit top-level permissions blocks to twelve GitHub Actions workflow files, restricting default token access to read-only scopes and limited write access where required. No job steps or workflow triggers were changed.

Changes

Workflow Permissions Hardening

Layer / File(s) Summary
CI check workflow permissions
.github/workflows/backend-checks.yml, .github/workflows/cron-checks.yml, .github/workflows/smoke-checks.yml, .github/workflows/sonar.yml
Adds permissions blocks granting contents: read, with smoke-checks.yml and sonar.yml also adding pull-requests: read.
Release workflow permissions
.github/workflows/release-merge.yml, .github/workflows/release-publish.yml, .github/workflows/release-start.yml
Adds permissions blocks scoping contents: read plus issues: read (release-merge) and contents: read for the other release workflows.
Metrics and utility workflow permissions
.github/workflows/sdk-performance-metrics.yml, .github/workflows/sdk-size-metrics.yml, .github/workflows/record-snapshots.yml, .github/workflows/testflight.yml, .github/workflows/update-copyright.yml
Adds permissions blocks granting contents: read combined with pull-requests: read (sdk metrics, testflight) or actions: write (record-snapshots).

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding least-privilege permissions across GitHub Actions workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflow-least-privilege-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🧹 Nitpick comments (1)
.github/workflows/release-start.yml (1)

11-14: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

actions: write may be unused here — gh workflow run uses a custom PAT, not the default token.

The "Integration Test" step overrides GITHUB_TOKEN with secrets.DANGER_GITHUB_API_TOKEN, so the default token's actions: write scope isn't exercised by this call. Based on a retrieved learning, the repo's default GITHUB_TOKEN already includes actions: write, so this explicit grant may be unnecessary for the workflow's actual behavior — worth double-checking if any other step relies on the default token for actions-scoped calls.

Based on learnings, "assume the default GITHUB_TOKEN permissions already include actions: write... Only add explicit permissions if the required scope is not covered by the repo's default token permissions."

Also applies to: 33-36

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-start.yml around lines 11 - 14, The workflow
permissions in the release-start job appear to grant actions: write
unnecessarily, since the Integration Test step uses
secrets.DANGER_GITHUB_API_TOKEN instead of the default GITHUB_TOKEN. Review the
release-start workflow and remove the explicit actions: write permission unless
another step in the same workflow actually depends on the default token for
actions-scoped calls, keeping only the permissions that are truly needed.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/record-snapshots.yml:
- Around line 6-9: The permissions block is malformed because actions: write is
indented under contents: read instead of being a sibling entry. Fix the YAML in
the workflow’s permissions section so Record Snapshots lists both contents and
actions at the same level, matching the intended scopes for the gh workflow run
call and keeping the workflow parseable.

In @.github/workflows/release-merge.yml:
- Around line 7-10: The workflow permissions block is malformed because issues:
read is indented under contents: read, which breaks YAML parsing. Fix the
permissions section in the release-merge workflow so both contents and issues
are sibling keys under permissions, and keep the indentation consistent with the
surrounding GitHub Actions YAML.

In @.github/workflows/release-start.yml:
- Around line 11-14: The workflow permissions block is misindented, causing
invalid YAML because actions: write is nested under contents: read. Fix the
permissions section so both permissions entries are aligned at the same level in
the release-start workflow, using the permissions mapping and its keys as the
unique markers to locate the issue.

In @.github/workflows/sdk-performance-metrics.yml:
- Around line 22-25: The permissions block in the workflow is malformed because
pull-requests is nested under contents instead of being a sibling entry, which
breaks YAML parsing. Fix the permissions section in the workflow file so that
permissions contains two sibling keys, contents and pull-requests, with their
read values aligned at the same level; use the permissions block near the
sdk-performance-metrics workflow definition to locate it.

In @.github/workflows/sdk-size-metrics.yml:
- Around line 19-22: The permissions block in the workflow YAML is malformed
because pull-requests: read is indented under contents: read instead of being a
sibling entry. Fix the permissions mapping in sdk-size-metrics by aligning
pull-requests with contents so the workflow parses correctly, and use the
existing permissions block in the workflow file as the place to update it.

In @.github/workflows/smoke-checks.yml:
- Around line 22-25: The permissions block in the smoke-checks workflow is
malformed because pull-requests: read is indented as if it were nested under
contents: read instead of being a sibling permission entry. Fix the YAML in the
permissions section so contents and pull-requests are aligned at the same level,
using the workflow’s permissions mapping to keep the file valid and parsable by
actionlint/YAMLlint.

In @.github/workflows/sonar.yml:
- Around line 12-15: The workflow permissions block has invalid YAML indentation
because pull-requests: read is nested under the scalar value for contents: read.
Fix the permissions section in the sonar workflow so contents and pull-requests
are sibling keys at the same indentation level, matching the valid pattern used
in the other workflow file.

In @.github/workflows/testflight.yml:
- Around line 25-28: The permissions block in the workflow YAML is malformed
because pull-requests: read is nested under contents: read instead of being a
sibling entry. Fix the permissions mapping in the testflight workflow so the
permissions section contains both contents and pull-requests at the same
indentation level; use the permissions block in the workflow file as the target
for the correction.

---

Nitpick comments:
In @.github/workflows/release-start.yml:
- Around line 11-14: The workflow permissions in the release-start job appear to
grant actions: write unnecessarily, since the Integration Test step uses
secrets.DANGER_GITHUB_API_TOKEN instead of the default GITHUB_TOKEN. Review the
release-start workflow and remove the explicit actions: write permission unless
another step in the same workflow actually depends on the default token for
actions-scoped calls, keeping only the permissions that are truly needed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46076e67-35b5-43d4-a7de-6eba915c9119

📥 Commits

Reviewing files that changed from the base of the PR and between adbcf43 and 4ac3b52.

📒 Files selected for processing (12)
  • .github/workflows/backend-checks.yml
  • .github/workflows/cron-checks.yml
  • .github/workflows/record-snapshots.yml
  • .github/workflows/release-merge.yml
  • .github/workflows/release-publish.yml
  • .github/workflows/release-start.yml
  • .github/workflows/sdk-performance-metrics.yml
  • .github/workflows/sdk-size-metrics.yml
  • .github/workflows/smoke-checks.yml
  • .github/workflows/sonar.yml
  • .github/workflows/testflight.yml
  • .github/workflows/update-copyright.yml

Comment thread .github/workflows/record-snapshots.yml
Comment thread .github/workflows/release-merge.yml
Comment thread .github/workflows/release-start.yml
Comment thread .github/workflows/sdk-performance-metrics.yml
Comment thread .github/workflows/sdk-size-metrics.yml
Comment thread .github/workflows/smoke-checks.yml
Comment thread .github/workflows/sonar.yml
Comment thread .github/workflows/testflight.yml
@peter-matkovski peter-matkovski self-assigned this Jul 6, 2026
Move workflow_dispatch back under on: in release-merge.yml and drop
unnecessary actions: write from release-start.yml (gh workflow run uses
DANGER_GITHUB_API_TOKEN).

Co-authored-by: Cursor <cursoragent@cursor.com>
@Stream-SDK-Bot

Copy link
Copy Markdown
Collaborator

SDK Size

title develop branch diff status
StreamChat 7.54 MB 7.54 MB 0 KB 🟢
StreamChatUI 4.27 MB 4.27 MB 0 KB 🟢
StreamChatCommonUI 0.84 MB 0.84 MB 0 KB 🟢

@sonarqubecloud

sonarqubecloud Bot commented Jul 6, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants