Reduce PR dashboard workflow token permissions#22
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens least-privilege on the two pull request dashboard workflows by removing job-level GITHUB_TOKEN scopes that the jobs don't actually exercise. I verified the change is safe: every GitHub API call in the dashboard scripts runs through the GitHub App installation token (GH_TOKEN/PR_DASHBOARD_TOKEN created by create-github-app-token, which is explicitly scoped per job), while the job GITHUB_TOKEN is only used for actions/checkout and the state-branch git push in state_branch.push_state — both covered by the retained contents scope. The reusable-workflow caller run-repo-dashboard now grants only contents: write, which matches the permissions every called job declares.
Changes:
- Removed unused
actions: read,checks: read,issues: write/read, andpull-requests: readjob scopes across the dashboard jobs. - Kept
contents(read/write) where checkout and state-branch pushes require it.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/pull-request-dashboard.yml |
Trims the run-repo-dashboard caller job to only contents: write, matching the scopes the reusable workflow's jobs need. |
.github/workflows/pull-request-dashboard-repo.yml |
Removes unused issues/pull-requests/checks/actions scopes from the post-review-guidance, update-dashboard, notify-slack, and publish-dashboard jobs, relying on the app token for API access. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Remove unused job-level GITHUB_TOKEN scopes from the pull request dashboard workflows. Target repository API access continues to use the repository-scoped GitHub App installation tokens, while the job token keeps only the contents access needed for checkout and state-branch pushes.