Skip to content

[codex] Harden GitHub Actions permissions#762

Draft
jbeckwith-oai wants to merge 1 commit into
mainfrom
codex/harden-github-actions
Draft

[codex] Harden GitHub Actions permissions#762
jbeckwith-oai wants to merge 1 commit into
mainfrom
codex/harden-github-actions

Conversation

@jbeckwith-oai

Copy link
Copy Markdown
Contributor

Summary

  • Add explicit read-only contents: read defaults to all GitHub Actions workflows.
  • Stop persisting GITHUB_TOKEN credentials in checkout steps.
  • Move Stainless Maven artifact upload into a trusted push-only job with the only remaining id-token: write scope.
  • Restrict the secret-backed examples job to trusted main pushes.

Why

The repository currently has write-capable default workflow permissions, so jobs without explicit permissions: blocks inherit broader GITHUB_TOKEN access than they need. The previous CI build job also granted OIDC to the whole job while running pull request code, even though only the artifact upload path needed it.

Validation

  • Confirmed local main matched origin/main at 40124064c4cc42a6f82b3f367a7cde516bf449f6 before branching.
  • Parsed all four workflow YAML files with Ruby YAML.load_file.
  • Ran git diff --check.
  • Re-scanned workflows for tag-pinned actions, broad write permissions, persisted checkout credentials, pull_request_target, workflow_run, and secrets: inherit.

Follow-up outside this PR

The repo-level Actions setting should still be flipped from default workflow permission write to read, and "Allow GitHub Actions to create and approve pull requests" should be disabled in repository settings. Those are admin settings rather than repository files.

@jbeckwith-oai jbeckwith-oai force-pushed the codex/harden-github-actions branch from 81a48e0 to f0a1f5f Compare June 25, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant