fix(build): add top-level permissions to copilot-setup-steps.yml for OpenSSF Scorecard compliance #456
Description
Summary
OpenSSF Scorecard alert #15 flags copilot-setup-steps.yml for having no top-level permissions: block. The workflow currently declares only contents: read at job-level on the setup job. Adding an empty or restrictive top-level permissions: block satisfies the scanner and follows the principle of least privilege.
This file was not in scope for #292 or #182, which addressed other workflow files for the same pattern.
Alert Details
- Rule: Token-Permissions (High severity)
- File:
.github/workflows/copilot-setup-steps.yml, line 1 - Message: "no topLevel permission defined"
- Scanner: OpenSSF Scorecard
Proposed Fix
Add a top-level permissions block before the jobs: key:
permissions: {}The existing job-level contents: read permission on the setup job is sufficient and overrides the restrictive top-level default.
Acceptance Criteria
-
copilot-setup-steps.ymlhas a top-levelpermissions:block - Copilot coding agent setup workflow continues to function correctly
- OpenSSF Scorecard alert Add security reusable workflows #15 resolves on next scan
References
- Alert: https://github.com/microsoft/hve-core/security/code-scanning/15
- Predecessor: [Issue]: Residual OpenSSF Scorecard Token-Permissions fixes from #182 #292 (addressed pester-tests.yml but not copilot-setup-steps.yml)
- Predecessor: chore(build): Clean up GitHub Actions workflow permissions for OpenSSF Scorecard compliance #182 (original workflow permissions cleanup)