fix: narrow down action permissions to per-job ones#828
fix: narrow down action permissions to per-job ones#828steveiliop56 wants to merge 1 commit intomainfrom
Conversation
📝 WalkthroughWalkthroughThis PR implements least-privilege permission scoping across four GitHub Actions workflows by reducing top-level workflow permissions to read-only and adding explicit job-level permission grants. Each job now receives only the specific permissions it requires. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 1/3 review remaining, refill in 30 minutes and 6 seconds. Comment |
dosubot
Bot
added
the
size:XS
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/nightly.yml:
- Around line 149-150: The image-build jobs currently declare only "packages:
read" which prevents checkout and GHCR pushes; update each image-build job (the
four image-build job definitions referenced) to set job-level permissions to
include "contents: read" and "packages: write" so checkout works and images can
be pushed (i.e., replace or augment the existing permissions block for those
image-build jobs with contents: read and packages: write).
In @.github/workflows/release.yml:
- Around line 119-120: The job-level permissions for the image build jobs
currently only specify "packages: read", which prevents actions/checkout and
docker build-push from working; update each image build job's permissions block
to include both "contents: read" and "packages: write" (in addition to or
replacing the existing packages: read) so actions/checkout can access the repo
and docker/build-push-action can push to GHCR using GITHUB_TOKEN; locate the
YAML permission blocks that currently contain "permissions: packages: read" in
the four image build jobs and add "contents: read" and "packages: write" there.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: ecc0114b-139a-4130-9d49-13254c9e0daf
📒 Files selected for processing (4)
.github/workflows/nightly.yml.github/workflows/release.yml.github/workflows/sponsors.yml.github/workflows/stale.yml
| permissions: | ||
| packages: read |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In GitHub Actions, when jobs.<job_id>.permissionsdefines onlypackages: read, are unspecified scopes (like contents) set to none? Also, what GITHUB_TOKENscope is required to push Docker images to GHCR usingdocker/build-push-action?
💡 Result:
Yes, when jobs.<job_id>.permissions defines only packages: read, unspecified scopes like contents are set to none. To push Docker images to GHCR using docker/build-push-action, the GITHUB_TOKEN requires packages: write permission (and typically contents: read for checkout).
Citations:
- 1: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token
- 2: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions
- 3: https://stackoverflow.com/questions/75926611/github-workflow-to-push-docker-image-to-ghcr-io
- 4: https://oneuptime.com/blog/post/2026-02-08-how-to-push-docker-images-to-github-container-registry/view
- 5: https://devopsboys.com/blog/github-actions-docker-push-permission-denied-fix-2026
- 6: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
🏁 Script executed:
fd -t f "nightly.yml" --path "*workflows*"Repository: tinyauthapp/tinyauth
Length of output: 298
🏁 Script executed:
fd -t f "nightly.yml"Repository: tinyauthapp/tinyauth
Length of output: 46
🏁 Script executed:
find . -name "*.yml" -o -name "*.yaml" | grep -i workflowRepository: tinyauthapp/tinyauth
Length of output: 252
🏁 Script executed:
wc -l ./.github/workflows/nightly.ymlRepository: tinyauthapp/tinyauth
Length of output: 100
🏁 Script executed:
cat -n ./.github/workflows/nightly.yml | sed -n '140,160p;200,220p;260,280p;320,340p'Repository: tinyauthapp/tinyauth
Length of output: 2778
🏁 Script executed:
cat -n ./.github/workflows/nightly.yml | sed -n '151,195p;211,255p;271,315p;331,375p'Repository: tinyauthapp/tinyauth
Length of output: 8276
Build jobs are under-scoped and will fail image publishing.
All four image-build jobs (at lines 149-150, 209-210, 269-270, and 329-330) have permissions set to packages: read, but these jobs perform checkout and push container images to GHCR with push=true. When job-level permissions are defined with only packages: read, unspecified scopes default to none. This means these jobs lack the required packages: write permission to push images and contents: read permission for checkout to function properly.
🔧 Proposed fix
image-build:
runs-on: ubuntu-latest
needs:
- create-release
- generate-metadata
permissions:
- packages: read
+ contents: read
+ packages: write
image-build-distroless:
runs-on: ubuntu-latest
needs:
- create-release
- generate-metadata
- image-build
permissions:
- packages: read
+ contents: read
+ packages: write
image-build-arm:
runs-on: ubuntu-24.04-arm
needs:
- create-release
- generate-metadata
permissions:
- packages: read
+ contents: read
+ packages: write
image-build-arm-distroless:
runs-on: ubuntu-24.04-arm
needs:
- create-release
- generate-metadata
- image-build-arm
permissions:
- packages: read
+ contents: read
+ packages: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| packages: read | |
| permissions: | |
| contents: read | |
| packages: write |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/nightly.yml around lines 149 - 150, The image-build jobs
currently declare only "packages: read" which prevents checkout and GHCR pushes;
update each image-build job (the four image-build job definitions referenced) to
set job-level permissions to include "contents: read" and "packages: write" so
checkout works and images can be pushed (i.e., replace or augment the existing
permissions block for those image-build jobs with contents: read and packages:
write).
| permissions: | ||
| packages: read |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For GitHub Actions job-level permissions, do unspecified scopes become none? For GHCR image publishing with docker/build-push-actionandGITHUB_TOKEN, is packages: write required?
💡 Result:
Yes, for GitHub Actions job-level permissions, unspecified scopes are set to none. Yes, packages: write is required for publishing images to GHCR using docker/build-push-action with GITHUB_TOKEN.
Citations:
- 1: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token
- 2: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions
- 3: https://docs.github.com/en/actions/concepts/use-cases/about-packaging-with-github-actions
- 4: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages
- 5: https://docs.github.com/packages/working-with-a-github-packages-registry/working-with-the-container-registry
- 6: https://docs.github.com/en/actions/guides/publishing-docker-images
- 7: https://stackoverflow.com/questions/75926611/github-workflow-to-push-docker-image-to-ghcr-io
- 8: https://oneuptime.com/blog/post/2026-02-20-github-actions-docker-build-push/view
🏁 Script executed:
# Check if the file exists and get its structure
file_path=".github/workflows/release.yml"
if [ -f "$file_path" ]; then
echo "File exists. Line count:"
wc -l "$file_path"
echo ""
echo "=== Lines 115-125 (around line 119) ==="
sed -n '115,125p' "$file_path"
echo ""
echo "=== Lines 172-182 (around line 176) ==="
sed -n '172,182p' "$file_path"
echo ""
echo "=== Lines 229-239 (around line 233) ==="
sed -n '229,239p' "$file_path"
echo ""
echo "=== Lines 286-296 (around line 290) ==="
sed -n '286,296p' "$file_path"
else
echo "File not found at $file_path"
git ls-files | grep -i release.yml
fiRepository: tinyauthapp/tinyauth
Length of output: 1347
🏁 Script executed:
# Get full job definitions for the image-build jobs
echo "=== image-build job (lines 115-170) ==="
sed -n '115,170p' .github/workflows/release.yml
echo ""
echo "=== image-build-distroless job (lines 172-227) ==="
sed -n '172,227p' .github/workflows/release.yml
echo ""
echo "=== Checking for docker/build-push-action usage ==="
grep -n "docker/build-push-action" .github/workflows/release.ymlRepository: tinyauthapp/tinyauth
Length of output: 4738
Image build jobs missing required permissions for checkout and publish.
All four image build jobs (lines 119, 176, 233, 290) currently have only packages: read. With job-level permission blocks, unspecified scopes default to none, causing these jobs to fail:
actions/checkoutrequirescontents: readto access repository codedocker/build-push-actionwithpush=trueto GHCR requirespackages: writeto publish images usingGITHUB_TOKEN
Add both permissions to each affected job:
🔧 Proposed fix
image-build:
runs-on: ubuntu-latest
needs:
- generate-metadata
permissions:
- packages: read
+ contents: read
+ packages: write
image-build-distroless:
runs-on: ubuntu-latest
needs:
- generate-metadata
- image-build
permissions:
- packages: read
+ contents: read
+ packages: write
image-build-arm:
runs-on: ubuntu-24.04-arm
needs:
- generate-metadata
permissions:
- packages: read
+ contents: read
+ packages: write
image-build-arm-distroless:
runs-on: ubuntu-24.04-arm
needs:
- generate-metadata
- image-build-arm
permissions:
- packages: read
+ contents: read
+ packages: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml around lines 119 - 120, The job-level
permissions for the image build jobs currently only specify "packages: read",
which prevents actions/checkout and docker build-push from working; update each
image build job's permissions block to include both "contents: read" and
"packages: write" (in addition to or replacing the existing packages: read) so
actions/checkout can access the repo and docker/build-push-action can push to
GHCR using GITHUB_TOKEN; locate the YAML permission blocks that currently
contain "permissions: packages: read" in the four image build jobs and add
"contents: read" and "packages: write" there.
scottmckendry
left a comment
scottmckendry
left a comment
There was a problem hiding this comment.
If coderabbit's comments are false positives (which I think they are) should be all good.
2 participants
Summary by CodeRabbit