ci: declare minimum permissions on stale-issues workflow#4065
ci: declare minimum permissions on stale-issues workflow#4065arpitjain099 wants to merge 2 commits into
Conversation
Signed-off-by: Arpit Jain <[email protected]>
|
Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset. In case there are security findings, they will be communicated to you as a comment inside the PR. Hope you’ll enjoy using Jit. Questions? Comments? Want to learn more? Get in touch with us. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
Hey @arpitjain099, thank you for your contribution! Can you please apply the suggested change and it will be ready for merging :) |
Per Cursor Bugbot's catch and @petyaslavova's confirmation: actions/stale@v10 saves state to the Actions cache when operations-per-run is hit and may need to delete conflicting entries, which requires actions: write. Without it the action 403s on cache lifecycle ('Resource not accessible by integration') and can permanently skip previously processed issues. Signed-off-by: Arpit Jain <[email protected]>
|
Thanks @petyaslavova, applied. Added |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit 3703d24. Configure here.
| permissions: | ||
| issues: write | ||
| pull-requests: write | ||
| actions: write |
There was a problem hiding this comment.
Overly broad actions: write undermines minimum-permission goal
Medium Severity
The actions: write permission grants the ability to cancel, re-run, and delete workflow runs — not just manage caches. This contradicts the PR's explicit goal of minimizing blast radius against supply-chain attacks (CVE-2025-30066). A compromised actions/stale with this scope could disrupt CI/CD by canceling runs or destroy audit trails by deleting them. This is a known concern tracked in actions/stale#1159. The PR description itself states the minimum scopes are only issues: write and pull-requests: write.
Reviewed by Cursor Bugbot for commit 3703d24. Configure here.
2 participants
Pins
.github/workflows/stale-issues.ymlto the minimum scopesactions/stale@v10actually uses:issues: writeandpull-requests: write. The workflow runs two passes ofactions/stale, one for the default 365-day timeline and one forneeds-informationissues on a 30-day accelerated path. Both passes only touch labels, comments, and close-state on issues and PRs - neither needscontentsaccess at all.CVE-2025-30066 (the March 2025
tj-actions/changed-filessupply-chain attack) is the motivation: a tampered third-party action exfiltratedGITHUB_TOKENfrom workflow logs and the blast radius equalled whatever scope was issued. Today this workflow inherits the org-default token scope, so if that default is anything broader thanissues+pull-requests: writethe daily cron is silently handing more authority toactions/stalethan the action needs. Pinning at the actual minimum closes that gap, gives drift protection, and registers with OpenSSF Scorecard's Token-Permissions check.YAML validated locally with
yaml.safe_load.Note
Low Risk
Low risk configuration change, but could affect the scheduled stale automation if the declared token permissions are insufficient or too restrictive.
Overview
Adds an explicit
permissionsblock to.github/workflows/stale-issues.ymlto scope theGITHUB_TOKENforactions/stale@v10runs (issues/PR write, plus actions write) instead of relying on repository/org defaults.This reduces the workflow’s token blast radius for the scheduled stale issue/PR labeling and closing automation without changing the stale policy logic itself.
Reviewed by Cursor Bugbot for commit 3703d24. Bugbot is set up for automated code reviews on this repo. Configure here.