Skip to content

Set empty top-level permissions in claude-review#1864

Merged
leighmcculloch merged 1 commit into
mainfrom
add-top-level-permissions-claude-review
May 8, 2026
Merged

Set empty top-level permissions in claude-review#1864
leighmcculloch merged 1 commit into
mainfrom
add-top-level-permissions-claude-review

Conversation

@leighmcculloch
Copy link
Copy Markdown
Member

@leighmcculloch leighmcculloch commented May 8, 2026

What

Add permissions: {} at the workflow top level in .github/workflows/claude-review.yml, after the concurrency block and before jobs.

Why

Without an explicit top-level permissions block, jobs inherit whatever default GITHUB_TOKEN permissions the repository or organization grants. Setting permissions: {} at the workflow level enforces zero default permissions and forces every job to opt in to the exact scopes it needs (the review job already declares its own contents: read, pull-requests: write, id-token: write). This is the GitHub-recommended least-privilege hardening pattern and prevents future jobs added to this file from silently inheriting broad token scopes.

@leighmcculloch leighmcculloch marked this pull request as ready for review May 8, 2026 02:00
Copilot AI review requested due to automatic review settings May 8, 2026 02:00
@leighmcculloch leighmcculloch enabled auto-merge May 8, 2026 02:00
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the claude-review GitHub Actions workflow by explicitly setting top-level GITHUB_TOKEN permissions to none, ensuring all jobs must opt in to the minimum required scopes.

Changes:

  • Add permissions: {} at the workflow root level to enforce zero default token permissions.
  • Preserve least-privilege behavior by relying on the existing job-level permissions for the review job.

@leighmcculloch leighmcculloch added this pull request to the merge queue May 8, 2026
Merged via the queue into main with commit b9110c9 May 8, 2026
203 of 204 checks passed
@leighmcculloch leighmcculloch deleted the add-top-level-permissions-claude-review branch May 8, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mootz12 mootz12 mootz12 approved these changes

+1 more reviewer

@fnando fnando fnando approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@leighmcculloch @fnando @mootz12