CI: add least-privilege permissions to GitHub Actions workflows#609
Conversation
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughFour GitHub Actions workflow files were updated to add explicit permissions blocks. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2f084c62-1e28-4a5a-ab43-972a39b48ec0
📒 Files selected for processing (4)
.github/workflows/ci.yml.github/workflows/daily.yml.github/workflows/python-versions.yml.github/workflows/run_tests.yml
Scope actions: write to the lint job that saves the mypy cache, and grant actions: write on caller workflows so the reusable run_tests job can write caches. Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
permissionsblocks to workflow files flagged by CodeQL.actions/missing-workflow-permissionsalerts.Linear
Test plan