Objective
Replace overly broad permissions: read-all with explicit minimal permissions in test-claude-oauth-workflow.
Context
The test-claude-oauth-workflow currently uses permissions: read-all which violates the principle of least privilege and increases the attack surface (MEDIUM severity). This was identified in the static analysis report as an excessive-permissions issue.
Related to discussion #3120 - Static Analysis Report finding #2.
Approach
- Analyze what permissions the workflow actually needs based on its operations
- Replace
permissions: read-all with explicit minimal permissions
- Test the workflow to ensure it still functions correctly with reduced permissions
Files to Modify
.github/workflows/test-claude-oauth-workflow.md - Update permissions from read-all to explicit minimal set- Recompile with
gh aw compile test-claude-oauth-workflow
Suggested Permissions
Based on typical agentic workflow needs:
permissions:
contents: read
issues: write
pull-requests: write
Adjust if the specific workflow requires different permissions.
Acceptance Criteria
AI generated by Plan Command for discussion #3120
Objective
Replace overly broad
permissions: read-allwith explicit minimal permissions in test-claude-oauth-workflow.Context
The test-claude-oauth-workflow currently uses
permissions: read-allwhich violates the principle of least privilege and increases the attack surface (MEDIUM severity). This was identified in the static analysis report as an excessive-permissions issue.Related to discussion #3120 - Static Analysis Report finding #2.
Approach
permissions: read-allwith explicit minimal permissionsFiles to Modify
.github/workflows/test-claude-oauth-workflow.md- Update permissions fromread-allto explicit minimal setgh aw compile test-claude-oauth-workflowSuggested Permissions
Based on typical agentic workflow needs:
Adjust if the specific workflow requires different permissions.
Acceptance Criteria
permissions: read-allremoved from workflowRelated to 🔍 Static Analysis Report - November 4, 2025 #3120