[#47970] - [5.4] [AI] Set least-privilege GITHUB_TOKEN permissions for CI and merge-conflict workflows
- Pending
- Medium
- Build: 5.4-dev
- # 47970
- Diff
- Alb3e3:harden-workflow-token-permissions
User tests: Successful: Unsuccessful:
Pull Request resolves # N/A — proactive CI/CD security hardening (not tied to a single issue).
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
AI disclosure (policy §4.1): this PR was drafted with AI assistance. The changes are mechanical workflow-permission additions; I reviewed and validated each one against the current workflows, and the title is prefixed with
[AI]accordingly.
Summary of Changes
.github/workflows/ci.yml and .github/workflows/merge-conflicts.yml did not declare a permissions: block, so both ran with the repository's default GITHUB_TOKEN scopes. This adds explicit least-privilege blocks:
- ci.yml →
contents: read(it only checks out, builds and tests). - merge-conflicts.yml →
contents: read+pull-requests: write(it reads the repo and adds/removes the "Conflicting Files" label). This matters most here because the job runs in the privilegedpull_request_targetcontext.
No workflow logic, triggers, or action versions are changed.
Testing Instructions
- Inspect the two files; confirm only a top-level
permissions:block was added. - Validate YAML:
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/ci.yml'))"(and the same formerge-conflicts.yml). - After merge: confirm CI Joomla still runs, and the merge-conflict labeler still adds/removes the "Conflicting Files" label on a conflicting PR.
Actual result BEFORE applying this Pull Request
Both workflows run with the repository's default GITHUB_TOKEN permissions, which may grant more than they need — notably the merge-conflict job, which runs in the privileged pull_request_target context.
Expected result AFTER applying this Pull Request
Each workflow's token is scoped to the minimum it needs (principle of least privilege, per the OpenSSF Scorecard Token-Permissions check). CI and the merge-conflict labeler behave exactly as before.
Link to documentations
- No documentation changes for guide.joomla.org needed
- No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Repository |
@Alb3e3 Thank you for your contribution. Please note that all pull requests must follow the PR template:
https://github.com/joomla/joomla-cms/blob/5.4-dev/.github/PULL_REQUEST_TEMPLATE.md
Once the required information has been provided, the PR can proceed to review and testing.
| Title |
|
||||||
| Title |
|
||||||
Thanks @muhme @BeginnerJoomlaCom — I've updated the PR to follow the template, prefixed the title with [AI], and added the Generative AI policy acknowledgement and an explicit AI-assistance disclosure per §4.1. The change is permissions-only (no logic/trigger/action-version changes) and I've validated the YAML locally. Ready for review/testing.
| Title |
|
||||||
Yes, that is correct. I used AI assistance while preparing the PR, so the [AI] prefix is intentional and should stay.
@Alb3e3 Please use the Pull Request-Template.