Skip to content

Least-privilege permissions #6

Open
Open
Least-privilege permissions#6
@bordumb

Description

@bordumb
bordumb
opened on Apr 4, 2026

PR review feedback (axios/axios#10646) flagged that the GitHub Action
workflow grants pull-requests: write on all triggers, including push,
where it's not needed.

Task 8.1: Condition pull-requests: write on event type

What: The auths-verify-commits.yml workflow grants
pull-requests: write at job level for all triggers. On push events,
this is unnecessary and expands the token's privilege surface.

Why: A reviewer correctly pointed out this is the same class of
over-permissioning that contributed to the original attacks. The Auths
action only uses pull-requests: write when post-pr-comment: true
AND the trigger is a pull_request event.

Recommendation for the GitHub Action itself:

File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.ts

The action should skip the PR comment step (and not require the token)
when the event is not a pull_request. Currently the action may already
do this, but the workflow template should make it explicit by splitting
into two jobs or using conditional permissions:

Recommended workflow pattern for consumers:

jobs:
  verify:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: ${{ github.event_name == 'pull_request' && 'write' || 'none' }}

File to also update (action README / examples):
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/README.md

Update all example workflows to use conditional permissions.

Task 8.2: Action should warn when post-pr-comment is true on non-PR events

What: If a user configures post-pr-comment: true but the action
runs on a push event, the action should log a warning rather than
silently skipping or failing.

File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.ts

if (postPrComment && github.context.eventName !== 'pull_request') {
  core.warning(
    'post-pr-comment is enabled but this is not a pull_request event. ' +
    'PR comment will be skipped. Consider conditioning pull-requests: write ' +
    'permission on the event type.'
  )
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions