Description
14 workflows are triggered by risky events (issue_comment, pull_request_target) but use default read-write permissions, violating the principle of least privilege. This is a supply chain security vulnerability identified by the poutine scanner.
Current State
- Affected Workflows: 14 workflows
- Severity: Warning (Poutine security scanner)
- Impact: Workflows have more permissions than needed, increasing attack surface
Affected Workflows
Edit the markdown source files (.md files, NOT .lock.yml):
.github/workflows/ai-moderator.md.github/workflows/archie.md.github/workflows/brave.md.github/workflows/cloclo.md.github/workflows/grumpy-reviewer.md.github/workflows/mergefest.md.github/workflows/pdf-summary.md.github/workflows/plan.md.github/workflows/pr-nitpick-reviewer.md.github/workflows/q.md.github/workflows/scout.md.github/workflows/security-review.md.github/workflows/tidy.md.github/workflows/unbloat-docs.md
Suggested Changes
Add explicit minimal permissions to frontmatter:
Before:
---
name: Example Workflow
on:
issue_comment:
types: [created]
---After:
---
name: Example Workflow
on:
issue_comment:
types: [created]
permissions:
contents: read
issues: write
pull-requests: write
---Common Permission Patterns
- Read data + create reports:
contents: read, issues: write, pull-requests: read
- Respond to comments:
contents: read, issues: write, pull-requests: write
- Modify code:
contents: write, issues: write, pull-requests: write
Files Affected
- 14 workflow markdown files in
.github/workflows/ directory
Success Criteria
Priority
High - Security hardening, follows GitHub best practices
Estimated Effort
1-2 hours
Source
Extracted from:
Identified as high-priority security finding by Poutine supply chain scanner.
References
AI generated by Discussion Task Miner - Code Quality Improvement Agent
Description
14 workflows are triggered by risky events (
issue_comment,pull_request_target) but use default read-write permissions, violating the principle of least privilege. This is a supply chain security vulnerability identified by the poutine scanner.Current State
Affected Workflows
Edit the markdown source files (
.mdfiles, NOT.lock.yml):.github/workflows/ai-moderator.md.github/workflows/archie.md.github/workflows/brave.md.github/workflows/cloclo.md.github/workflows/grumpy-reviewer.md.github/workflows/mergefest.md.github/workflows/pdf-summary.md.github/workflows/plan.md.github/workflows/pr-nitpick-reviewer.md.github/workflows/q.md.github/workflows/scout.md.github/workflows/security-review.md.github/workflows/tidy.md.github/workflows/unbloat-docs.mdSuggested Changes
Add explicit minimal permissions to frontmatter:
Before:
After:
Common Permission Patterns
contents: read, issues: write, pull-requests: readcontents: read, issues: write, pull-requests: writecontents: write, issues: write, pull-requests: writeFiles Affected
.github/workflows/directorySuccess Criteria
make recompiledefault_permissions_on_risky_eventswarningPriority
High - Security hardening, follows GitHub best practices
Estimated Effort
1-2 hours
Source
Extracted from:
Identified as high-priority security finding by Poutine supply chain scanner.
References