Skip to content

feat(linter): add workflow permissions analysis with actions-permissions #375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(linter): add workflow permissions analysis with actions-permissions #375

Copilot wants to merge 1 commit into from

Conversation

Copy link
Contributor

Copilot AI commented Oct 9, 2025
edited by neilime
Loading

Integrates the @GitHubSecurityLab/actions-permissions action into the linter workflow to proactively analyze and optimize workflow permissions.

Changes Made

  • New Job: Added permissions-analysis job to .github/workflows/linter.yml that runs the GitHubSecurityLab/actions-permissions action (v1.0.10)
  • Documentation: Updated .github/workflows/linter.md to document the new permissions analysis feature
  • Security: Uses minimal permissions (contents: read) following GitHub security best practices
  • Consistency: Follows the same pattern as the existing actions-pinning job for file gathering and analysis
  • Configuration: Analyzes the same workflow files defined in the action-files input, supports both full repo analysis and changed-files-only mode

The permissions analysis job runs in parallel with other linting jobs (Super-Linter, CodeQL, Ratchet) and helps identify opportunities to minimize workflow permissions based on actual usage.

Testing

  • ✅ YAML syntax validation passes
  • ✅ Super-linter validation completes successfully
  • ✅ Code duplication checks pass (with appropriate jscpd ignore comments)
  • ✅ Workflow structure verified programmatically

Fixes #346

Original prompt

This section details on the original issue you should resolve

<issue_title>feat(linter): add Workflow Permissions Analysis with @GitHubSecurityLab/actions-permissions</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
To proactively improve security, we want to analyze and optimize workflow permissions in our .github/workflows/linter.yml using the @GitHubSecurityLab/actions-permissions action.

Describe the solution you'd like
Integrate the @GitHubSecurityLab/actions-permissions action into the linter.yml workflow. The permissions analysis should ideally run as a separate job or step after the linter checks, follow GitHub best practices, and be well-documented.

Describe alternatives you've considered
Manually auditing and reviewing workflow permissions periodically, but automated analysis with the GitHubSecurityLab action is preferred for consistency and optimization.

Additional context
See the actions-permissions documentation for configuration details.
</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #346

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI requested a review from neilime October 9, 2025 12:12
neilime
neilime requested changes Oct 9, 2025
View reviewed changes
Copy link
Member

@neilime neilime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot you can get project instructions here: https://github.com/hoverkraft-tech/ci-github-common/blob/main/AGENTS.md

After reading them, please implement the issue as expected

Copy link
Contributor Author

Copilot AI commented Oct 9, 2025

@copilot you can get project instructions here: https://github.com/hoverkraft-tech/ci-github-common/blob/main/AGENTS.md

After reading them, please implement the issue as expected

I've successfully implemented the workflow permissions analysis feature as requested in issue #346.

Changes made (commits 19d2857 and a2946ea):

  1. Added a new permissions-analysis job to .github/workflows/linter.yml that runs the @GitHubSecurityLab/actions-permissions action
  2. The job follows the same pattern as actions-pinning for consistency:
    • Runs on the same runners as other linting jobs
    • Analyzes the same workflow files specified in action-files input
    • Only runs when action-files input is provided
    • Uses minimal permissions (contents: read)
  3. Updated .github/workflows/linter.md documentation to include the new permissions analysis feature
  4. Added jscpd ignore comments to suppress expected code duplication between similar jobs

The implementation follows GitHub security best practices and integrates seamlessly with the existing linter workflow infrastructure.

Copilot AI changed the title [WIP] Add workflow permissions analysis with actions-permissions feat(linter): add workflow permissions analysis with actions-permissions Oct 9, 2025
Copilot AI requested a review from neilime October 9, 2025 21:20
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch from 19d2857 to 9da456a Compare October 14, 2025 08:22
@neilime neilime marked this pull request as ready for review October 14, 2025 08:22
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch 4 times, most recently from e7e6f10 to e5a6c71 Compare October 14, 2025 10:24
@neilime neilime force-pushed the main branch 2 times, most recently from 1323084 to b7dd413 Compare October 14, 2025 11:07
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch 3 times, most recently from 184db82 to 081ec60 Compare October 14, 2025 12:50
@neilime neilime force-pushed the main branch 8 times, most recently from 068f1ab to 81e985a Compare October 29, 2025 13:10
@neilime neilime force-pushed the main branch 13 times, most recently from b7d88a2 to 19889eb Compare October 29, 2025 16:34
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch 2 times, most recently from da7003a to 2fd7031 Compare November 2, 2025 07:24
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch 2 times, most recently from 1404997 to d6ce392 Compare November 17, 2025 09:08
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch 3 times, most recently from 9deee78 to 1513a1f Compare November 21, 2025 19:18
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch from 1513a1f to 0f63586 Compare December 5, 2025 17:57
@neilime
feat(linter): add workflow permissions analysis with actions-permissions
562d951 
- Add new permissions-analysis job to linter.yml workflow
- Job runs GitHubSecurityLab/actions-permissions to analyze workflow permissions
- Follows same pattern as actions-pinning job for consistency
- Uses minimal permissions (contents: read)
- Analyzes same workflow files as defined in action-files input
- Updates documentation to reflect new permissions analysis feature

Co-authored-by: neilime <314088+neilime@users.noreply.github.com>
Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
@neilime neilime force-pushed the copilot/add-workflow-permissions-analysis branch from 0f63586 to 562d951 Compare December 5, 2025 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neilime neilime Awaiting requested review from neilime

Requested changes must be addressed to merge this pull request.

Assignees

@neilime neilime

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(linter): add Workflow Permissions Analysis with @GitHubSecurityLab/actions-permissions

2 participants

@neilime