Skip to content

ci: tighten workflow permissions and disable checkout credential persistence#5164

Merged
jedel1043 merged 1 commit intoboa-dev:mainfrom
iammdzaidalam:ci/harden-workflow-permissions
Mar 19, 2026
Merged

ci: tighten workflow permissions and disable checkout credential persistence#5164
jedel1043 merged 1 commit intoboa-dev:mainfrom
iammdzaidalam:ci/harden-workflow-permissions

Conversation

@iammdzaidalam
Copy link
Contributor

@iammdzaidalam iammdzaidalam commented Mar 19, 2026

Closes #5163

Summary

Tighten least-privilege settings in a few core CI workflows.

Changes

  • add persist-credentials: false to checkout steps in:
    • rust.yml
    • pull_request.yml
    • webassembly.yml
    • security_audit.yml
    • nightly_build.yml
  • move contents: write in nightly_build.yml from the workflow level to the build job
  • keep workflow defaults read-only where possible

Notes

This is just a hardening cleanup with no intended behavior change.

pull_request.yml still keeps fetch-depth: 0, and nightly_build.yml still retains the write permission needed for release asset upload.

@iammdzaidalam iammdzaidalam requested a review from a team as a code owner March 19, 2026 14:25
@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers C-Tests Issues and PRs related to the tests. C-Builtins PRs and Issues related to builtins/intrinsics C-Actions Pull requests that update Github Actions code and removed Waiting On Review Waiting on reviews from the maintainers labels Mar 19, 2026
@github-actions github-actions bot added this to the v1.0.0 milestone Mar 19, 2026
@github-actions
Copy link

github-actions bot commented Mar 19, 2026

Test262 conformance changes

Test result main count PR count difference
Total 52,963 52,963 0
Passed 50,079 50,079 0
Ignored 2,072 2,072 0
Failed 812 812 0
Panics 0 0 0
Conformance 94.55% 94.55% 0.00%

Tested main commit: dd1efc2cef0868102f9e29cc9d05960c8283046b
Tested PR commit: 0f9cbb8bfd48a1e9d3ffeff9d6cc3213472a3d1a
Compare commits: dd1efc2...0f9cbb8

jedel1043
jedel1043 reviewed Mar 19, 2026
View reviewed changes
@codecov
Copy link

codecov bot commented Mar 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.55%. Comparing base (6ddc2b4) to head (2ca1980).
⚠️ Report is 896 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #5164       +/-   ##
===========================================
+ Coverage   47.24%   59.55%   +12.31%     
===========================================
  Files         476      580      +104     
  Lines       46892    63244    +16352     
===========================================
+ Hits        22154    37665    +15511     
- Misses      24738    25579      +841

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@iammdzaidalam iammdzaidalam force-pushed the ci/harden-workflow-permissions branch from 0f9cbb8 to 2ca1980 Compare March 19, 2026 16:10
@github-actions github-actions bot added the Waiting On Review Waiting on reviews from the maintainers label Mar 19, 2026
@jedel1043 jedel1043 mentioned this pull request Mar 19, 2026
Closed
@github-actions
Copy link

github-actions bot commented Mar 19, 2026

Test262 conformance changes

Test result main count PR count difference
Total 52,963 52,963 0
Passed 50,079 50,079 0
Ignored 2,072 2,072 0
Failed 812 812 0
Panics 0 0 0
Conformance 94.55% 94.55% 0.00%

Tested main commit: c9aaad16b19aa2cadf72838fe8acc1043013023c
Tested PR commit: 2ca19809cd95484ef89b57831f8ea0cf14722586
Compare commits: c9aaad1...2ca1980

jedel1043
jedel1043 approved these changes Mar 19, 2026
View reviewed changes
Copy link
Member

@jedel1043 jedel1043 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@jedel1043 jedel1043 added the A-Meta Issues and PRs related to the repository itself label Mar 19, 2026
@jedel1043 jedel1043 added this pull request to the merge queue Mar 19, 2026
Merged via the queue into boa-dev:main with commit e2ab577 Mar 19, 2026
22 checks passed
@github-actions github-actions bot removed the Waiting On Review Waiting on reviews from the maintainers label Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jedel1043 jedel1043 jedel1043 approved these changes

Assignees

No one assigned

Labels

A-Meta Issues and PRs related to the repository itself C-Actions Pull requests that update Github Actions code C-Builtins PRs and Issues related to builtins/intrinsics C-Tests Issues and PRs related to the tests.

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

CI: tighten workflow permissions and disable checkout credential persistence

2 participants

@iammdzaidalam @jedel1043