Skip to content

ci: restrict default GITHUB_TOKEN to contents:read in update-templates workflow#806

Merged
l2ysho merged 2 commits into
masterfrom
alert-fix-15
Jun 21, 2026
Merged

ci: restrict default GITHUB_TOKEN to contents:read in update-templates workflow#806
l2ysho merged 2 commits into
masterfrom
alert-fix-15

Conversation

@l2ysho

@l2ysho l2ysho commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Closes code-scanning alert https://github.com/apify/actor-templates/security/code-scanning/15 actions/missing-workflow-permissions).
All privileged operations in this workflow already use the explicit
APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN PAT; the default GITHUB_TOKEN is unused
and can be safely locked down to least privilege.

@l2ysho
ci: restrict default GITHUB_TOKEN to contents:read in update-template…
7546b7f 
…s workflow

Closes code-scanning alert #15 (actions/missing-workflow-permissions).
All privileged operations in this workflow already use the explicit
APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN PAT; the default GITHUB_TOKEN is unused
and can be safely locked down to least privilege.
@l2ysho l2ysho self-assigned this Jun 10, 2026
@l2ysho l2ysho added adhoc Ad-hoc unplanned task added during the sprint. t-dx Issues owned by the DX team. labels Jun 10, 2026
@github-actions github-actions Bot added this to the 142nd sprint - Tooling team milestone Jun 10, 2026
@l2ysho l2ysho enabled auto-merge (squash) June 10, 2026 13:44
DaveHanns
DaveHanns approved these changes Jun 11, 2026
View reviewed changes

@DaveHanns DaveHanns left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: let's figure out whether we can lower the access scope repo-wide via https://github.com/apify/actor-templates/settings/actions.

We should, ideally, use the org account PAT for sensitive actions anyway.

@l2ysho

l2ysho commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Suggestion: let's figure out whether we can lower the access scope repo-wide via https://github.com/apify/actor-templates/settings/actions.

We should, ideally, use the org account PAT for sensitive actions anyway.

Good call, I changed it to read, lets see if something breaks.

@l2ysho l2ysho mentioned this pull request Jun 12, 2026
Closed
@l2ysho l2ysho mentioned this pull request Jun 18, 2026
Merged
@l2ysho

l2ysho commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Suggestion: let's figure out whether we can lower the access scope repo-wide via https://github.com/apify/actor-templates/settings/actions.
We should, ideally, use the org account PAT for sensitive actions anyway.

Good call, I changed it to read, lets see if something breaks.

Reverting this back to read/write because it break Apify pull request toolkit which is defined in another repo apify/workflows. Probably it is worth to discuss about changing default permissions to read company-wide to honor least privilege principle 🤔

@DaveHanns

DaveHanns commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Suggestion: let's figure out whether we can lower the access scope repo-wide via https://github.com/apify/actor-templates/settings/actions.
We should, ideally, use the org account PAT for sensitive actions anyway.

Good call, I changed it to read, lets see if something breaks.

Reverting this back to read/write because it break Apify pull request toolkit which is defined in another repo apify/workflows. Probably it is worth to discuss about changing default permissions to read company-wide to honor least privilege principle 🤔

Good finding. Feel free to present this at the next platform symposium.

@l2ysho l2ysho closed this in #812 Jun 19, 2026
auto-merge was automatically disabled June 19, 2026 11:33

Pull request was closed

@l2ysho l2ysho reopened this Jun 21, 2026
@l2ysho l2ysho merged commit 9a86b79 into master Jun 21, 2026
40 checks passed
@l2ysho l2ysho deleted the alert-fix-15 branch June 21, 2026 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrikbraborec patrikbraborec patrikbraborec approved these changes

@DaveHanns DaveHanns DaveHanns approved these changes

@vladfrangu vladfrangu Awaiting requested review from vladfrangu

Assignees

@l2ysho l2ysho

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-dx Issues owned by the DX team.

Projects

None yet

Milestone

143rd sprint - DX team

Development

Successfully merging this pull request may close these issues.

4 participants

@l2ysho @DaveHanns @patrikbraborec @apify-service-account