github · yoff · Apr 23, 2025 · Apr 23, 2025 · Apr 23, 2025 · Apr 24, 2025
@@ -13,7 +13,10 @@ extensions:
       - ["actions/labeler", "pull-requests: write"]
       - ["actions/attest", "id-token: write"]
       - ["actions/attest", "attestations: write"]
-      # No permissions needed for actions/add-to-project
+      - ["actions/add-to-project", "repository-projects:read"]
+      - ["actions/add-to-project", "repository-projects:write"]
+      - ["actions/add-to-project", "issues:read"]
+      - ["actions/add-to-project", "pull-requests:read"]
       - ["actions/dependency-review-action", "contents: read"]
       - ["actions/attest-sbom", "id-token: write"]
       - ["actions/attest-sbom", "attestations: write"]
@@ -30,8 +33,8 @@ extensions:
       - ["actions/versions-package-tools", "actions: read"]
       - ["actions/reusable-workflows", "contents: read"]      
       - ["actions/reusable-workflows", "actions: read"]
-      # TODO: Add permissions for actions/download-artifact
-      # TODO: Add permissions for actions/upload-artifact
-      # TODO: Add permissions for actions/cache
+      # No permissions needed for actions/download-artifact
+      # No permissions needed for actions/upload-artifact
+      # No permissions needed for actions/cache
 
 
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the action `add-to-project`. This should lead to better alert messages and better fix suggestions.
@@ -2,4 +2,4 @@
 | .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
-| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
+| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {issues:read, pull-requests:read, repository-projects:read, repository-projects:write} |