Skip to content

Add explicit permissions to approval-gate job in production deployment workflow#142

Merged
aurelianware merged 1 commit intoalert-autofix-8from
copilot/sub-pr-141
Jan 31, 2026
Merged

Add explicit permissions to approval-gate job in production deployment workflow#142
aurelianware merged 1 commit intoalert-autofix-8from
copilot/sub-pr-141

Conversation

Copy link
Contributor

Copilot AI commented Jan 31, 2026
edited
Loading

CodeQL alert #8 flagged the approval-gate job for inheriting overly broad default GITHUB_TOKEN permissions instead of declaring explicit constraints.

Changes:

  • Added permissions: contents: read to the approval-gate job in .github/workflows/deploy.yml
  • Job only prints deployment context and requires no write access
  • deploy job retains existing id-token: write + contents: read for OIDC authentication
approval-gate:
  needs: pre-approval-checks
  if: github.event_name != 'pull_request'
  runs-on: ubuntu-latest
  permissions:
    contents: read
  environment:
    name: PROD-approval

This enforces least-privilege principle without altering workflow behavior.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Jan 31, 2026
Merged
Copilot AI changed the title [WIP] Fix workflow to define permissions for approval-gate job Add explicit permissions to approval-gate job in production deployment workflow Jan 31, 2026
Copilot AI requested a review from aurelianware January 31, 2026 19:09
@aurelianware aurelianware marked this pull request as ready for review January 31, 2026 19:11
Copilot AI review requested due to automatic review settings January 31, 2026 19:11
Copilot AI reviewed Jan 31, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@aurelianware aurelianware merged commit be5beb4 into alert-autofix-8 Jan 31, 2026
7 checks passed
@aurelianware aurelianware deleted the copilot/sub-pr-141 branch January 31, 2026 19:13
aurelianware added a commit that referenced this pull request Mar 8, 2026
@aurelianware
Merge pull request #142 from aurelianware/copilot/sub-pr-141
f38954d 
Add explicit permissions to approval-gate job in production deployment workflow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@aurelianware aurelianware aurelianware approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@aurelianware aurelianware

Copilot code review Copilot

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aurelianware