fix(build): add job-level permissions to extension-publish.yml for OpenSSF Scorecard compliance #527
Description
Summary
OpenSSF Scorecard Token-Permissions alerts flag two jobs in extension-publish.yml for missing job-level permissions blocks. The workflow has a top-level permissions: contents: read declaration at line 22, but the prepare-changelog and normalize-version jobs do not declare their own job-level permissions, which violates the repository convention that every job must have explicit permissions.
Related to #456 (copilot-setup-steps.yml), #460 (accepted risk documentation), and the companion issue for extension-publish-prerelease.yml.
Alert Details
- Rule: Token-Permissions (High severity)
- File:
.github/workflows/extension-publish.yml - Alerts:
- Line 25:
prepare-changelogjob — "no jobLevel permission defined" - Line 58:
normalize-versionjob — "no jobLevel permission defined"
- Line 25:
- Scanner: OpenSSF Scorecard v5.x
Proposed Fix
Fix 1: prepare-changelog Job (line 25)
This job uses actions/checkout to extract changelog entries. It needs contents: read.
prepare-changelog:
name: Prepare Changelog
runs-on: ubuntu-latest
permissions:
contents: read
outputs:Fix 2: normalize-version Job (line 58)
This job runs pure shell computation (version string normalization). It does not use actions/checkout or access repository content, so it needs no token permissions.
normalize-version:
name: Normalize Version
runs-on: ubuntu-latest
permissions: {}
outputs:Verification
After applying the fix:
- Run
npm run lint:yamlto validate YAML syntax. - Trigger a release publish workflow to verify the jobs execute successfully.
- Run the Scorecard Token-Permissions check to confirm the alerts are resolved.
Convention Reference
From .github/instructions/hve-core/workflows.instructions.md:
Workflows MUST declare explicit permissions following the principle of least privilege.
Additional permissions MUST be granted at the job level and only when required for a specific capability.