Viper GitHub Actions Workflows Missing Explicit Permissions

Preflight Checklist

• [x] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Security Issue: All GitHub Actions workflows in the repository are missing explicit permissions: declarations, which violates the principle of least privilege and creates potential security risks.

Current Security Alerts

• 7 Open CodeQL Security Alerts (Alert numbers #1-6, #9)
• Rule: actions/missing-workflow-permissions
• Severity: Warning (Medium security impact)
• CWE: CWE-275 (Improper Access Control)

Security Risk

When workflows don't specify explicit permissions, they inherit the default repository/organization permissions, which are often overly permissive (read-write access). This violates the principle of least privilege and could potentially be exploited if: 1. A malicious dependency is introduced 2. A workflow script is compromised 3. An unauthorized actor gains access to the workflow environment

Affected Workflows

• .github/workflows/ci.yaml (4 separate jobs without permissions)
• .github/workflows/checks.yaml (1 job without permissions)
• .github/workflows/stale.yaml (1 job without permissions)

Proposed Solution

Add explicit permissions: blocks to all workflow jobs following the principle of least privilege:

Example Fix for .github/workflows/ci.yaml:

name: CI

# Add at workflow level for all jobs
permissions:
  contents: read  # Required to checkout code

on:
  push:
    branches: [master]
  pull_request:

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    # permissions: inherit from workflow level

  test:
    name: Test  
    runs-on: ${{ matrix.os }}
    # permissions: inherit from workflow level

  lint:
    name: Lint
    runs-on: ubuntu-latest
    # permissions: inherit from workflow level

  license-check:
    name: License check
    runs-on: ubuntu-latest
    # permissions: inherit from workflow level

Example Fix for .github/workflows/stale.yaml:

name: "Close stale issues"

permissions:
  contents: read
  issues: write        # Required to manage stale issues
  pull-requests: write # Required to manage stale PRs (if enabled)

on:
  schedule:
    - cron: "0 3 * * *"

Example Fix for .github/workflows/checks.yaml:

name: PR Checks

permissions:
  contents: read       # Required to checkout code  
  pull-requests: read  # Required to read PR labels

on:
  pull_request:
    types: [opened, labeled, unlabeled, synchronize]

Alternatives Considered

No response

Additional Information

No response