Refactor workflow permissions for consistency across CI/CD files#199
Refactor workflow permissions for consistency across CI/CD files#199frasermolyneux merged 4 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request refactors GitHub Actions workflow files to move permissions declarations from the workflow level to the job level, following the principle of least privilege. This allows each job to have only the specific permissions it requires, improving security posture.
Changes:
- Moved
permissionsblocks from workflow-level (top of file afteron:) to job-level (under each job definition) - Applied this pattern consistently across 6 workflow files
- No changes to permission scopes or values—only their location in the YAML structure
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/release-version-and-tag.yml |
Moved workflow-level contents: read to job-level; calculate-version and dotnet-ci get contents: read, tag-release gets contents: write |
.github/workflows/release-publish-nuget.yml |
Moved workflow-level contents: write and actions: read to job-level under publish-nuget-packages job |
.github/workflows/pr-verify.yml |
Moved workflow-level contents: read to job-level under build-and-test job |
.github/workflows/dependabot-automerge.yml |
Moved workflow-level contents: write and pull-requests: write to job-level under dependabot job |
.github/workflows/codequality.yml |
Moved workflow-level permissions to job-level; also reordered dependency-review job properties (permissions now appear before if and runs-on) |
.github/workflows/build-and-test.yml |
Moved workflow-level contents: read to job-level under build-and-test job |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
4 similar comments
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
No description provided.