Hardening GITHUB_TOKEN permissions by eskwor · Pull Request #403 · felleslosninger/github-workflows

eskwor · 2026-03-25T07:31:05Z

Hardening GITHUB_TOKEN permissions (least privilege)

we started by setting permissions: {} to fully disable all default GITHUB_TOKEN access
incrementally added only the permissions required for the workflow to succeed, based on observed errors

Why this change?

reduces risk of accidental or malicious misuse of the token
aligns with GitHub’s least-privilege security best practices
makes permissions explicit, auditable, and easier to reason about

Result: a minimal, secure, and maintainable permission set tailored to the workflow’s real requirements

Tested OK using

ci-spring-boot-build-publish-image.yml using https://github.com/felleslosninger/plattform-test-app/actions/runs/23452000457
ci-quarkus-build-publish-image.yml using https://github.com/felleslosninger/plattform-test-app-quarkus/actions/runs/23482889666/job/68480742154
ci-docker-build-publish-image.yml using https://github.com/felleslosninger/plattform-test-app/blob/main/.github/workflows/deploy-dockerfile.yml#L8C62-L8C88

…ninger/github-workflows into hardening-gh-token-permissions

eskwor and others added 26 commits March 25, 2026 08:24

Hardening GITHUB_TOKEN permissions

f9a61e3

Update README.md

424aee6

Test

4e0c651

Merge branch 'hardening-gh-token-permissions' of github.com:felleslos…

8fab593

…ninger/github-workflows into hardening-gh-token-permissions

Test

02a38b3

Update ci-build-publish-image.yml

552a907

Update ci-build-publish-image.yml

a052abd

Update ci-build-publish-image.yml

12ce672

Update ci-spring-boot-build-publish-image.yml

5d72dfb

Update ci-build-publish-image.yml

6eadb2e

Update ci-spring-boot-build-publish-image.yml

12fd4ee

Update ci-build-publish-image.yml

0c945a6

Update ci-build-publish-image.yml

6c9fb9b

Update ci-spring-boot-build-publish-image.yml

447500d

Update ci-quarkus-build-publish-image.yml

eb9ec05

Update ci-build-publish-image.yml

7cc4c30

Update ci-quarkus-build-publish-image.yml

4e9e6b3

Update ci-quarkus-build-publish-image.yml

fb30244

Update ci-quarkus-build-publish-image.yml

67f63d5

Update ci-build-publish-image.yml

c4e129d

Update ci-build-publish-image.yml

573d441

Update ci-build-publish-image.yml

76f24e8

Update ci-spring-boot-build-publish-image.yml

7c82aab

Update ci-build-publish-image.yml

110e675

Update ci-build-publish-image.yml

68e4e4a

Update ci-spring-boot-build-publish-image.yml

a71f9c7

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hardening GITHUB_TOKEN permissions#403

Hardening GITHUB_TOKEN permissions#403
eskwor wants to merge 26 commits intomainfrom
hardening-gh-token-permissions

eskwor commented Mar 25, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

eskwor commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

eskwor commented Mar 25, 2026 •

edited

Loading