fix(build): add job-level permissions to extension-publish-prerelease.yml for OpenSSF Scorecard compliance #524
Description
Summary
OpenSSF Scorecard Token-Permissions alerts flag two jobs in extension-publish-prerelease.yml for missing job-level permissions blocks. The workflow has a top-level permissions: contents: read declaration at line 14, but the validate-version and package jobs do not declare their own job-level permissions, which violates the repository convention that every job must have explicit permissions.
Related to #456 (copilot-setup-steps.yml) and #460 (accepted risk documentation).
Alert Details
- Rule: Token-Permissions (High severity)
- File:
.github/workflows/extension-publish-prerelease.yml - Alerts:
- Line 20:
validate-versionjob — "no jobLevel permission defined" - Line 52:
packagejob — "no jobLevel permission defined"
- Line 20:
- Scanner: OpenSSF Scorecard v5.x
Proposed Fix
Fix 1: validate-version Job (line 20)
This job runs pure shell computation (version string validation). It does not use actions/checkout or access repository content, so it needs no token permissions.
validate-version:
name: Validate Pre-Release Version
runs-on: ubuntu-latest
permissions: {}
outputs:Fix 2: package Job (line 52)
This job uses actions/checkout to read repository content for packaging. It needs contents: read.
package:
name: Package Pre-Release Extension
needs: validate-version
runs-on: ubuntu-latest
permissions:
contents: read
outputs:Verification
After applying the fix:
- Run
npm run lint:yamlto validate YAML syntax. - Trigger a pre-release publish workflow to verify the jobs execute successfully.
- Run the Scorecard Token-Permissions check to confirm the alerts are resolved.
Convention Reference
From .github/instructions/hve-core/workflows.instructions.md:
Workflows MUST declare explicit permissions following the principle of least privilege.
Additional permissions MUST be granted at the job level and only when required for a specific capability.