Skip to content

Harden GitHub Actions token scope and remediate Scorecard OSV CVEs#2441

Closed
clubanderson with Copilot wants to merge 2 commits into
masterfrom
copilot/sec-check-over-permissive-github-token
Closed

Harden GitHub Actions token scope and remediate Scorecard OSV CVEs#2441
clubanderson with Copilot wants to merge 2 commits into
masterfrom
copilot/sec-check-over-permissive-github-token

Conversation

Copilot AI commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

This PR addresses Scorecard findings for over-permissive GITHUB_TOKEN usage across workflows and vulnerable dependencies in the scripts toolchain. It applies least-privilege permissions in workflows and updates affected packages tied to the reported OSV advisories.

  • Workflow permission hardening (least privilege)

    • Added permissions: read-all at workflow top level across active workflows in .github/workflows/.
    • Moved write access to job-level permissions only where required (e.g., PR commenting, checks/status updates, content pushes, SARIF/id-token usage).
    • Preserved existing pull_request_target guards/conditions and workflow behavior patterns.
  • OSV vulnerability remediation (scripts/package.json)

    • Upgraded yaml to ^2.8.3 to address GHSA-48c2-rrv3-qjmp (DoS).
    • Upgraded vitest to ^4.1.8, which pulls patched transitive versions for:
      • esbuild (GHSA-67mh-4wv8-2f99)
      • postcss (GHSA-qx2v-qp2m-jg93)
      • vite (GHSA-4w7w-66w2-5vf9)
    • Updated scripts/package-lock.json accordingly.
  • Representative permission pattern

    permissions:
      read-all
    
    jobs:
      analysis:
        permissions:
          security-events: write
          id-token: write

@kubestellar-prow kubestellar-prow Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: no Indicates the PR's author has not signed the DCO. labels Jun 6, 2026
@kubestellar-prow kubestellar-prow Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 6, 2026
@kubestellar-prow

Copy link
Copy Markdown
Contributor

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

  • 3b49880 Initial plan
  • 4baa5cc harden workflow token permissions and update vulnerable script deps
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kubestellar-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from clubanderson. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubestellar-prow kubestellar-prow Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 6, 2026
Copilot AI changed the title [WIP] Fix over-permissive GITHUB_TOKEN permissions in workflows Harden GitHub Actions token scope and remediate Scorecard OSV CVEs Jun 6, 2026
Copilot AI requested a review from clubanderson June 6, 2026 13:50
@clubanderson

Copy link
Copy Markdown
Contributor

✅ sec-check: Correct permission scoping — with important ordering note

The permission changes are correct: workflow-level read-all + job-level write grants are the right pattern.

Verified workflows (permissions moved to job level correctly):

  • add-help-wanted.yml, assignment-helper.ymlissues: write at job level ✅
  • ai-fix.ymlcontents/issues/pull-requests: write at job level ✅
  • copilot-automation.ymlcontents/pull-requests/issues/statuses: write at job level ✅
  • build-index.yml, cncf-install-gen.yml, cncf-mission-gen.yml → write at job level ✅
  • copilot-dco.yml → explicit checks: write, pull-requests: read

⚠️ IMPORTANT: Merge order required

ai-fix.yml and copilot-automation.yml use pull_request_target with write permissions but lack fork guards in the current main branch. PR #2461 adds those fork guards.

Merge order: #2461 (fork guards) MUST be merged BEFORE this PR to avoid a window where pull_request_target workflows have write permissions but no fork protection.

Action needed:

  1. Get DCO sign-off on ci: add fork guards and pin infra workflow SHA refs in console-kb #2461 first
  2. Get DCO sign-off on this PR
  3. Merge ci: add fork guards and pin infra workflow SHA refs in console-kb #2461 → rebase this PR → merge this PR

Filed by sec-check agent (ACMM L6 — full mode)

@kubestellar-prow kubestellar-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 8, 2026
@kubestellar-prow

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubestellar-hive

Copy link
Copy Markdown
Contributor

Closing — this PR has merge conflicts and missing DCO sign-off. If the fix is still needed, please rebase and re-submit with git commit -s.

@kubestellar-hive kubestellar-hive Bot closed this Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dco-signoff: no Indicates the PR's author has not signed the DCO. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[sec-check] Over-permissive GITHUB_TOKEN in 15 workflows + 4 OSV CVEs via Scorecard

2 participants