ci(repo): add least-privilege permissions to GitHub Actions workflows#2798
ci(repo): add least-privilege permissions to GitHub Actions workflows#2798peter-matkovski wants to merge 9 commits into
Conversation
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds top-level ChangesGitHub Actions permissions scoping
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/update_goldens.yml:
- Around line 16-19: The workflow-level permissions in update_goldens.yml are
too broad: remove the unnecessary actions: write grant from the permissions
block. Keep the workflow limited to the minimum needed access, since the
artifact upload steps in the job do not require it and the commit step uses
actions/checkout with ssh-key rather than a contents token.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b8e4af82-9cb6-42e8-80fc-3a7166b2ab27
📒 Files selected for processing (8)
.github/workflows/beta_version_analyze.yml.github/workflows/distribute_external.yml.github/workflows/distribute_internal.yml.github/workflows/legacy_version_analyze.yml.github/workflows/pana.yml.github/workflows/pr_title.yml.github/workflows/stream_flutter_workflow.yml.github/workflows/update_goldens.yml
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2798 +/- ##
=======================================
Coverage 71.03% 71.03%
=======================================
Files 429 429
Lines 26935 26935
=======================================
Hits 19133 19133
Misses 7802 7802 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Summary
permissionsblocks to workflow files flagged by CodeQL.actions/missing-workflow-permissionsalerts.Linear
Test plan
Summary by CodeRabbit