Skip to content

fix: restrict GITHUB_TOKEN to contents: read in sync workflow#10

Merged
nbrieussel merged 1 commit intomainfrom
fix/workflow-permissions
Apr 14, 2026
Merged

fix: restrict GITHUB_TOKEN to contents: read in sync workflow#10
nbrieussel merged 1 commit intomainfrom
fix/workflow-permissions

Conversation

@nbrieussel
Copy link
Copy Markdown

@nbrieussel nbrieussel commented Apr 13, 2026

Summary

  • Adds permissions: contents: read to the sync job in the Safe Settings sync workflow
  • Restricts the GITHUB_TOKEN to the minimum required scope — it is only used by the two actions/checkout steps, so contents: read is sufficient
  • The sync itself authenticates via GitHub App credentials (APP_ID + PRIVATE_KEY), not GITHUB_TOKEN

Why

Without an explicit permissions: block, GITHUB_TOKEN inherits the org-wide default permissions, which may include write access across many scopes. This is unnecessarily broad for a workflow that does not need it.

Note on dry-run

This is a workflow infrastructure change (not a safe-settings config change), so no safe-settings dry-run is required. The workflow will be validated by GitHub Actions on the next push to main.

Closes #3

fix: restrict GITHUB_TOKEN to contents: read in sync workflow
1bd0d74 
The GITHUB_TOKEN previously inherited org-wide default permissions.
Since the workflow only uses GitHub App credentials for the sync and
GITHUB_TOKEN is only needed for the two actions/checkout steps,
restrict it to contents: read.

Closes #3
@nbrieussel
Copy link
Copy Markdown
Author

nbrieussel commented Apr 13, 2026

Dry-run validation

Triggered a manual dry-run on this branch before opening PR #11:

gh workflow run safe-settings-sync.yml --repo IntegratedDynamic/admin --ref fix/workflow-permissions -f nop=true

Run: https://github.com/IntegratedDynamic/admin/actions/runs/24372508236

Results

Signal Observation Verdict
Config changes introduced by this PR Zero — no "There are changes" line attributable to this branch ✅ Safe
Pre-existing diffs (NicolasSettings, infrastructure, gitops) Present on main too — org drift unrelated to this PR ✅ Pre-existing, not introduced
Crash Cannot read properties of undefined (reading 'check_suite') Known safe-settings 2.1.17 NOP bug, reproducible on main ✅ Pre-existing, not introduced

Conclusion: this PR only adds permissions: contents: read to the workflow job — it does not touch any safe-settings config file. The dry-run confirms zero org-settings changes. Safe to merge. ✅

Note: PR #11 automates this gate so future PRs get this check automatically.

@nbrieussel nbrieussel mentioned this pull request Apr 13, 2026
Closed
4 tasks
@nbrieussel nbrieussel merged commit 93887fe into main Apr 14, 2026
1 check failed
@nbrieussel nbrieussel deleted the fix/workflow-permissions branch April 14, 2026 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[P1] Add permissions: contents: read to sync workflow

1 participant

@nbrieussel