gh-pr-perm-auditlisted

# GitHub Actions PR-Approval Permission Audit Find every repo where GitHub Actions can **create and approve** pull requests — a known way to bypass required reviews — and report it security-first. `false` is the secure default; `true` is an exposure to justify per repo. **Read-only**: this skill never changes settings; it prints the exact command for you to run. See `references/openssf.md` for the why + sources. ## Setup Check Run `gh auth status` — if not authenticated, output: ``` ⚠️ gh CLI not authenticated. Run: gh auth login ``` and stop. ## Step 1: Resolve scope - `--owner <name>`: audit that account. Otherwise: `OWNER=$(gh api user --jq .login)`. - `--allow <repo,repo>`: comma-separated repos you INTENTIONALLY allow to have the setting `true` (e.g. a repo whose CI legitimately opens PRs via `GITHUB_TOKEN`). Anything not listed is expected to be `false`. List repos (skip archived; they can't be changed): ```bash gh repo list "$OWNER" --no-archived --limit 200 --json name --jq '.[].name' ``` ## Step 2: Read the setting per repo For each repo: ```bash gh api "repos/$OWNER/$REPO/actions/permissions/workflow" \ --jq '[.default_workflow_permissions, (.can_approve_pull_request_reviews|tostring)] | @tsv' ``` The second field is the audited flag. ## Step 3: Classify | can_approve | in --allow? | Status | |---|---|---| | `true` | no | **RISK(unexpected)** — review-bypass exposure | | `true` | yes | OK(allowlisted) — intentional | | `false` | — | OK(secure-de