Skip to content

PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#1070

Merged
rjrudin merged 2 commits into
developfrom
fix/SECCMP-1797-harden-permissions
Apr 8, 2026
Merged

PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token#1070
rjrudin merged 2 commits into
developfrom
fix/SECCMP-1797-harden-permissions

Conversation

@GAdityaVarma
Copy link
Copy Markdown
Contributor

@GAdityaVarma GAdityaVarma commented Apr 8, 2026

SECCMP-1797: Add top-level permissions to restrict default token

Adds permissions: contents: read at the workflow level to restrict the default GITHUB_TOKEN scope. Without this, all jobs inherit the full pull_request_target write token.

The copyright-validation job already declares its own permissions block which overrides the default for that specific job.

Ref: Preventing pwn requests

stevebio and others added 2 commits February 20, 2026 12:47
@stevebio
Merge pull request #1063 from marklogic/release/4.1.0
4d46d57 
MLE-26608 Release MarkLogic Node Client API 4.1.0
@GAdityaVarma
SECCMP-1797: Add top-level permissions to restrict default token
00fc4eb 
Adds explicit top-level permissions: contents: read to limit the
default GITHUB_TOKEN scope for all jobs. Individual jobs that need
write access (copyright-validation) already declare their own
permissions block which overrides the default.

This follows the principle of least privilege recommended in
GitHub's PwnRequest security guidance.
Copilot AI review requested due to automatic review settings April 8, 2026 13:59
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s pull_request_target workflow to reduce the default GITHUB_TOKEN scope at the workflow level, limiting inherited permissions across jobs.

Changes:

  • Adds workflow-level permissions: contents: read to restrict the default token scope.
  • Keeps job-level permission overrides for the copyright-validation job.

Comment thread .github/workflows/pr-workflow.yaml
@@ -1,18 +1,17 @@
name: PR Workflow

on:
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rationale for using pull_request_target (especially for fork PRs) was removed. Since this event has important security implications, consider keeping a brief comment explaining why pull_request_target is required here and what safeguards are assumed (e.g., no checkout of untrusted code).

Suggested change
on:
on:
# Use pull_request_target so these checks can run for fork PRs in the base
# repository context. This workflow is expected to remain metadata-only:
# it should not check out or execute untrusted PR code, and should only
# pass PR metadata to trusted reusable workflows.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/pr-workflow.yaml
jira-pr-check:
name: 🏷️ Validate JIRA ticket ID
# Use the reusable workflow from the central repository
uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reusable workflows are referenced by a mutable branch (@main) here (and also in the copyright-validation job below). For supply-chain security—especially with pull_request_target—pin reusable workflows to a specific commit SHA or a trusted, immutable tag to prevent unexpected upstream changes being pulled into this workflow.

Copilot uses AI. Check for mistakes.
@GAdityaVarma GAdityaVarma changed the title SECCMP-1797: Add top-level permissions to restrict default token PDP-1182 SECCMP-1797: Add top-level permissions to restrict default token Apr 8, 2026
@rjrudin rjrudin changed the base branch from master to develop April 8, 2026 14:14
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 8, 2026

Copyright Validation Results
Total: 9 | Passed: 0 | Failed: 6 | Skipped: 3 | at: 2026-04-08 14:14:38 UTC | commit: 00fc4eb

❌ Failed Files

  • lib/plan-builder-base.js

    Error:

    - Copyright format does not match expected format

    Expected header:

    Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

  • lib/plan-builder-generated.js

    Error:

    - Copyright format does not match expected format

    Expected header:

    Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

  • test-basic/optic-vector.js

    Error:

    - Copyright format does not match expected format

    Expected header:

    Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

  • test-basic/plan-builder-generated.js

    Error:

    - Copyright format does not match expected format

    Expected header:

    Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

  • test-basic/service-caller.js

    Error:

    - Copyright format does not match expected format

    Expected header:

    Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

  • test-basic/ssl-min-allow-tls-test.js

    Error:

    - Copyright format does not match expected format

    Expected header:

    Copyright (c) 2015-2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

⏭️ Skipped (Excluded) Files

  • .github/workflows/pr-workflow.yaml
  • package-lock.json
  • package.json

🛠️ Guidance

Follow these steps to fix the failed files:

  1. Insert the expected header at the very top (within first 20 lines) of each failed file.
  2. Ensure the year range matches the configuration (start year through current year).
  3. Do not alter spacing or punctuation in the header line.
  4. Commit and push the changes to update this check.

@rjrudin rjrudin merged commit ce2461b into develop Apr 8, 2026
10 of 14 checks passed
@rjrudin rjrudin deleted the fix/SECCMP-1797-harden-permissions branch April 8, 2026 14:14
@SameeraPriyathamTadikonda
Copy link
Copy Markdown
Contributor

SameeraPriyathamTadikonda commented Apr 8, 2026

@GAdityaVarma We can remove this workflow from this repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rjrudin rjrudin rjrudin approved these changes

@anu3990 anu3990 Awaiting requested review from anu3990 anu3990 is a code owner

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@GAdityaVarma @SameeraPriyathamTadikonda @rjrudin @stevebio