Fix GitHub workflow token permissions for security compliance (#4992)

Copilot · ademidoff · web-flow · commit ae3203a42ddd · 2026-02-05T18:06:12.000+03:00
* Initial plan

* Fix GitHub workflow token permissions for code scanning compliance

- Add top-level `permissions: contents: read` to 6 workflows (api.yml, documentation.yml, linkspector.yml, main.yml, sbom.yml, ui.yml)
- Fix dependabot.yml: move write permissions from top-level to job-level
- Add job-level `contents: write` permission to documentation.yml for git push operations

All workflows now follow best practices:
- Top-level permissions set as read-all or contents: read
- Write permissions only at job-level where needed
- No permissions: write-all at job level

Co-authored-by: ademidoff &lt;81549+ademidoff@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: ademidoff &lt;81549+ademidoff@users.noreply.github.com&gt;
diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml
@@ -10,6 +10,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     name: Sync API Docs
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -2,14 +2,16 @@ name: Dependabot
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   dependabot:
     name: Enable auto-merge
     runs-on: ubuntu-22.04
     if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -9,9 +9,14 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # for git push operations
 
     steps:
       - name: Check out code
diff --git a/.github/workflows/linkspector.yml b/.github/workflows/linkspector.yml
@@ -4,6 +4,9 @@ on:
     paths:
       - "documentation/**"
 
+permissions:
+  contents: read
+
 jobs:
   check-links:
     name: linkspector
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -11,6 +11,9 @@ on:
 
   pull_request:      
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Checks
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+*
 
+permissions:
+  contents: read
+
 jobs:
   sbom:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/ui.yml b/.github/workflows/ui.yml
@@ -24,6 +24,9 @@ on:
       - "vmproxy/**"
       - "update/**"
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     name: CI
