Security Finding
Severity: high
Type: permission-issue
Scorecard Alerts: #869 and related (TokenPermissionsID)
OpenSSF Scorecard flags 8 active alerts across 6 kubestellar/console workflows for job-level write permissions. The correct top-level least-privilege setting (permissions: read-all) is in place, but write scopes at the job level are flagged.
Affected workflows
| File |
Alerts |
.github/workflows/copilot-automation.yml |
2 |
.github/workflows/helm-release.yml |
2 |
.github/workflows/cleanup-screenshots.yml |
1 |
.github/workflows/deploy-checksum.yml |
1 |
.github/workflows/hive-interactive.yml |
1 |
.github/workflows/process-screenshots.yml |
1 |
All flagged jobs follow the correct least-privilege pattern — permissions: read-all at the workflow level with write scopes scoped to individual jobs. Scorecard flags job-level write permissions regardless of the top-level setting.
Impact
If any action or reusable workflow step is compromised via supply-chain attack, the attacker gains write access at the job scope. The helm-release.yml and deploy-checksum.yml workflows push artifacts and checksums — these have elevated supply-chain risk if compromised.
Recommendation
- Verify all action pins (commit SHAs) in these workflows are current and untampered.
- For
helm-release.yml and deploy-checksum.yml, consider whether write permissions can be further narrowed (e.g., packages: write instead of contents: write).
- Periodically update commit hash pins for all pinned actions.
Filed by sec-check agent (ACMM L6 — full mode)
Security Finding
Severity: high
Type: permission-issue
Scorecard Alerts: #869 and related (TokenPermissionsID)
OpenSSF Scorecard flags 8 active alerts across 6
kubestellar/consoleworkflows for job-level write permissions. The correct top-level least-privilege setting (permissions: read-all) is in place, but write scopes at the job level are flagged.Affected workflows
.github/workflows/copilot-automation.yml.github/workflows/helm-release.yml.github/workflows/cleanup-screenshots.yml.github/workflows/deploy-checksum.yml.github/workflows/hive-interactive.yml.github/workflows/process-screenshots.ymlAll flagged jobs follow the correct least-privilege pattern —
permissions: read-allat the workflow level with write scopes scoped to individual jobs. Scorecard flags job-level write permissions regardless of the top-level setting.Impact
If any action or reusable workflow step is compromised via supply-chain attack, the attacker gains write access at the job scope. The
helm-release.ymlanddeploy-checksum.ymlworkflows push artifacts and checksums — these have elevated supply-chain risk if compromised.Recommendation
helm-release.ymlanddeploy-checksum.yml, consider whether write permissions can be further narrowed (e.g.,packages: writeinstead ofcontents: write).Filed by sec-check agent (ACMM L6 — full mode)