Skip to content

Tighten permissions in stale workflow (minor hardening) #79

New issue
New issue
Closed
Closed
Tighten permissions in stale workflow (minor hardening)#79
Assignees
yada
Labels
enhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code
@yada

Description

@yada
yada
opened on Mar 20, 2026

The Manage stale issues and PRs workflow is already well-secured and not exposed to the recent GitHub Actions exploit class (e.g. HackerBot-Claw). However, we can further improve it by applying stricter least-privilege permissions.

Proposed change

Replace the top-level permissions:

permissions:
  contents: read

with:

permissions: {}

Why

  • The workflow does not require repository content access
  • Permissions are already correctly scoped at the job level: 
    issues: write
pull-requests: write
  • Reduces the default token scope
  • Aligns with GitHub Actions security best practices

Impact

  • ✅ No functional change expected
  • ✅ Slightly reduced attack surface
  • ✅ Clearer security posture

Notes

The workflow is already safe against untrusted code execution risks (no pull_request_target, no code execution), this is just a defense-in-depth improvement.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions