Skip to content

fix: adding required permissions to top level and jobs in the workflow#12656

Open
gaganhr94 wants to merge 1 commit intostrimzi:mainfrom
gaganhr94:fix/token-permissions
Open

fix: adding required permissions to top level and jobs in the workflow#12656
gaganhr94 wants to merge 1 commit intostrimzi:mainfrom
gaganhr94:fix/token-permissions

Conversation

@gaganhr94
Copy link
Copy Markdown

@gaganhr94 gaganhr94 commented Apr 19, 2026

Type of change

Select the type of your PR

  • Enhancement / new feature

Description

Currently the score for the Token Permissions is 9 because the top level permissions and a few job level permissions are missing in the workflows. With this change, the score will improve to 10, since the workflow jobs will run with the minimal permissions. The PR retains conditions like write only at the job level, where it is necessary.

Fixes #12655

Checklist

Please go through this checklist and make sure all applicable tasks have been done

  • Write tests
  • Make sure all tests pass
  • Update documentation
  • Check RBAC rights for Kubernetes / OpenShift roles
  • Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
  • Reference relevant issue(s) and close them after merging
  • Update CHANGELOG.md
  • Supply screenshots for visual changes, such as Grafana dashboards

@scholzj scholzj requested a review from Frawless April 19, 2026 12:15
Frawless
Frawless reviewed Apr 22, 2026
View reviewed changes
Comment thread .github/workflows/run-system-tests.yml
contents: read
pull-requests: write
statuses: write
permissions: {}
Copy link
Copy Markdown
Member

@Frawless Frawless Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use default permissions as

permissions:
  contents: read

so maybe we can do the same here and put only pull-requests and statuses to job level

@Frawless Frawless added this to the 1.1.0 milestone Apr 22, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.08%. Comparing base (ac9f75a) to head (b6cca65).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main   #12656      +/-   ##
============================================
- Coverage     75.10%   75.08%   -0.03%     
+ Complexity     6513     6511       -2     
============================================
  Files           376      376              
  Lines         25083    25083              
  Branches       3271     3271              
============================================
- Hits          18839    18833       -6     
- Misses         4901     4906       +5     
- Partials       1343     1344       +1

see 6 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Frawless Frawless Frawless left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.1.0

Development

Successfully merging this pull request may close these issues.

Improve OSSF Scorecard Token-Permissions check by tightening GitHub Actions permissions

2 participants

@gaganhr94 @Frawless