Summary
CodeQL code scanning has identified that our GitHub Actions workflows lack explicit permissions blocks. Without these, workflows inherit the repository/org default token permissions, which may be overly broad (read-write). This violates the principle of least privilege (CWE-275).
Affected Workflows (7 alerts)
| Workflow |
Job |
pint-lint.yml |
detect_php_changes |
pint-lint.yml |
lint_php_code |
php-static-analysis.yml |
detect_changes |
php-static-analysis.yml |
run_phpstan |
tests.yml |
run_unit_tests |
release.yml |
create_release |
validate-pr.yml |
workflows |
Recommended Fix
Add top-level permissions blocks to each workflow with the minimal required access. For most CI workflows (lint, test, analysis), this is:
permissions:
contents: read
The release.yml workflow needs write access for creating releases and pushing tags/changelogs:
permissions:
contents: write
References
Summary
CodeQL code scanning has identified that our GitHub Actions workflows lack explicit
permissionsblocks. Without these, workflows inherit the repository/org default token permissions, which may be overly broad (read-write). This violates the principle of least privilege (CWE-275).Affected Workflows (7 alerts)
pint-lint.ymldetect_php_changespint-lint.ymllint_php_codephp-static-analysis.ymldetect_changesphp-static-analysis.ymlrun_phpstantests.ymlrun_unit_testsrelease.ymlcreate_releasevalidate-pr.ymlworkflowsRecommended Fix
Add top-level
permissionsblocks to each workflow with the minimal required access. For most CI workflows (lint, test, analysis), this is:The
release.ymlworkflow needs write access for creating releases and pushing tags/changelogs:References