Skip to content

Restrict GITHUB_TOKEN permissions on GitHub Actions #14781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Restrict GITHUB_TOKEN permissions on GitHub Actions #14781

wants to merge 1 commit into from

Conversation

@nikunj-kohli
Copy link

@nikunj-kohli nikunj-kohli commented Oct 23, 2025
edited
Loading

Summary

This PR restricts GITHUB_TOKEN permissions across all GitHub Actions workflows to follow the principle of least privilege, as recommended by GitHub and OpenSSF.

Problem: Currently, workflows use the default GITHUB_TOKEN permissions which are excessively permissive (read/write access to all issues, PRs, and repository contents). This token is available to all code and actions in a workflow, meaning malicious code in dependencies could steal the token and perform unauthorized actions.

Solution:

  • Added permissions: read-all as a top-level declaration to all 20 workflows that were missing it
  • Workflows that require write access retain job-level permission overrides
  • All 25 workflows now have explicit permissions defined

Security Improvements:

  1. Least Privilege: All workflows default to read-only access
  2. Reduced Attack Surface: Malicious code cannot steal tokens with excessive permissions
  3. Explicit Write Access: Only jobs that specifically need write permissions have them
  4. Best Practices Compliance: Follows GitHub and OpenSSF recommendations

Modified Workflows (20 files):

  • add-release-pongo.yml, ast-grep.yml, autodocs.yml, backport-fail-bot.yml, build.yml, build_and_test.yml, buildifier.yml, changelog-requirement.yml, changelog-validation.yml, community-stale.yml, copyright-check.yml, label-check.yml, label-schema.yml, labeler-v2.yml, openresty-patches-companion.yml, perf.yml, release.yml, update-ngx-wasm-module.yml, update-test-runtime-statistics.yml, upgrade-tests.yml

Checklist

  • The Pull Request has tests (N/A - security hardening only, no functional changes)
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/developer.konghq.com - PUT DOCS PR HERE (N/A - internal workflow security improvement)

Issue reference

Fix #14778

@CLAassistant
Copy link

CLAassistant commented Oct 23, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@team-eng-enablement team-eng-enablement added the author/community PRs from the open-source community (not Kong Inc) label Oct 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

author/community PRs from the open-source community (not Kong Inc) size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Restrict GITHUB_TOKEN permissions on GitHub Actions

3 participants

@nikunj-kohli @CLAassistant @team-eng-enablement