Skip to content

Maintenance: Address code scanning alerts about GitHub Actions token permissions #2371

New issue
New issue
Open
#2370
Open
Maintenance: Address code scanning alerts about GitHub Actions token permissions#2371
#2370
Assignees
phipag
Labels
governance
@phipag

Description

@phipag
phipag
opened on Jan 27, 2026

Summary

We need to refine our GitHub actions token permissions since they lead to CodeQL alerts (https://github.com/aws-powertools/powertools-lambda-java/security/code-scanning).

Example:

Token-Permissions
score is 9: jobLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
Scorecard

Why is this needed?

This is needed to ensure least-privilege token use and scope down the permissions of our CI/CD pipeline to only the needed permissions.

Which area does this relate to?

Governance

Solution

No response

Acknowledgment

Metadata

Metadata

Assignees

Labels

governance

Type

No type

Projects

Powertools for AWS Lambda (Java)

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions