Skip to content

Add explicit permissions for CI jobs #3204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 24, 2025
Merged

Add explicit permissions for CI jobs #3204

merged 5 commits into from
Aug 24, 2025

Conversation

@networkfusion
Copy link
Member

@networkfusion networkfusion commented Aug 24, 2025
edited by coderabbitai bot
Loading

Description

Add explicit permissions for github workflow jobs.

Motivation and Context

Github now recommends adding explicit permissions for actions.

How Has This Been Tested?

Screenshots

Types of changes

  • Improvement (non-breaking change that improves a feature, code or algorithm)
  • Bug fix (non-breaking change which fixes an issue with code or algorithm)
  • New feature (non-breaking change which adds functionality to code)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Config and build (change in the configuration and build system, has no impact on code or features)
  • Dev Containers (changes related with Dev Containers, has no impact on code or features)
  • Dependencies/declarations (update dependencies or assembly declarations and changes associated, has no impact on code or features)
  • Documentation (changes or updates in the documentation, has no impact on code or features)

Checklist

  • My code follows the code style of this project (only if there are changes in source code).
  • My changes require an update to the documentation (there are changes that require the docs website to be updated).
  • I have updated the documentation accordingly (the changes require an update on the docs in this repo).
  • I have read the CONTRIBUTING document.
  • I have tested everything locally and all new and existing tests passed (only if there are changes in source code).

Summary by CodeRabbit

  • Chores
    • CI workflows updated to set job-level token permissions (granting read access to repository contents) for devcontainer build and smoketest jobs across Azure RTOS, ChibiOS, ESP32, NXP FreeRTOS, TI, and related targets.
    • No changes to job steps or logic; no user-facing functionality changes.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 24, 2025
edited
Loading

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Added job-level permissions blocks to several GitHub Actions devcontainer workflows; each modified job now declares contents: read. No other workflow steps or logic were changed.

Changes

Cohort / File(s) Summary
Devcontainer build workflows
.github/workflows/devcontainer-all.yaml, .github/workflows/devcontainer-azurertos.yaml, .github/workflows/devcontainer-chibios.yaml, .github/workflows/devcontainer-esp32.yml, .github/workflows/devcontainer-freertos-nxp.yaml, .github/workflows/devcontainer-ti.yaml		 Added permissions under jobs.build with contents: read.
Smoketest workflow
.github/workflows/devcontainer-smoketest.yaml		 Added permissions under jobs.build-target with contents: read.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 75356d3 and 6d7bbf3.

📒 Files selected for processing (7)
  • .github/workflows/devcontainer-all.yaml (1 hunks)
  • .github/workflows/devcontainer-azurertos.yaml (1 hunks)
  • .github/workflows/devcontainer-chibios.yaml (1 hunks)
  • .github/workflows/devcontainer-esp32.yml (1 hunks)
  • .github/workflows/devcontainer-freertos-nxp.yaml (1 hunks)
  • .github/workflows/devcontainer-smoketest.yaml (1 hunks)
  • .github/workflows/devcontainer-ti.yaml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (7)
  • .github/workflows/devcontainer-chibios.yaml
  • .github/workflows/devcontainer-esp32.yml
  • .github/workflows/devcontainer-freertos-nxp.yaml
  • .github/workflows/devcontainer-azurertos.yaml
  • .github/workflows/devcontainer-all.yaml
  • .github/workflows/devcontainer-smoketest.yaml
  • .github/workflows/devcontainer-ti.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)
  • GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
  • GitHub Check: nf-interpreter (Check_Build_Options)
  • GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
  • GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
  • GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
  • GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
  • GitHub Check: build-target (ESP32_S3, Debug, ESP32)
  • GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
  • GitHub Check: build-target (ESP32_C3, Debug, ESP32)
  • GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
  • GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
  • GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
  • GitHub Check: build-target (M5Core2, Debug, ESP32)
  • GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
  • GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
  • GitHub Check: build-target (SL_STK3701A, Debug, All)
  • GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch add-job-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Aug 24, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (6)
.github/workflows/devcontainer-esp32.yml (1)

24-26: Right-size GITHUB_TOKEN scope; consider either using GITHUB_TOKEN for GHCR push or drop packages: write when using a PAT.

You’re logging into GHCR with a PAT (secrets.CONTAINER_BUILD_TOKEN). In that case, granting packages: write to the job’s GITHUB_TOKEN is not strictly required. Two clean options:

  • Option A (preferred for least secrets): switch the login to GITHUB_TOKEN and keep packages: write here.
  • Option B: keep the PAT-based login and remove packages: write from the job to minimize token scope.

Apply this diff for Option B (PAT login retained, least-privilege GITHUB_TOKEN):

 permissions:
   contents: read
-  packages: write

If you prefer Option A, adjust the login step (outside this hunk) to use GITHUB_TOKEN:

- name: Login to GitHub Container Registry
  uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

Optional: set a workflow-level default to lock down other jobs by default, overriding only where needed:

permissions:
  contents: read
.github/workflows/devcontainer-freertos-nxp.yaml (1)

24-26: Minimize token permissions given PAT-based GHCR push.

Same pattern here: because the job logs into GHCR using a PAT, packages: write on the GITHUB_TOKEN is unnecessary unless another step uses it to push/publish. Either (A) switch to GITHUB_TOKEN-based login and keep packages: write, or (B) retain PAT and drop packages: write for least privilege.

Apply this diff for Option B:

 permissions:
   contents: read
-  packages: write
.github/workflows/devcontainer-ti.yaml (1)

24-26: Align permissions with actual usage; remove packages: write if not pushing with GITHUB_TOKEN.

You’re using a PAT for the GHCR login. Unless another step relies on GITHUB_TOKEN to write to GHCR, packages: write can be removed to adhere to least-privilege.

 permissions:
   contents: read
-  packages: write

Alternative: switch the GHCR login to GITHUB_TOKEN and keep packages: write (same snippet as suggested in the ESP32 workflow).

.github/workflows/devcontainer-chibios.yaml (1)

24-26: Tighten GITHUB_TOKEN scope when a PAT is already used for GHCR.

As with the other build workflows, consider dropping packages: write on GITHUB_TOKEN since the registry push uses a PAT. Alternatively, migrate the login to GITHUB_TOKEN and keep packages: write.

 permissions:
   contents: read
-  packages: write

Optional repo-wide improvement: set permissions: contents: read at the workflow root and only elevate specific jobs that push to GHCR.

.github/workflows/devcontainer-all.yaml (1)

24-26: Consider dialing back packages scope or standardizing on GITHUB_TOKEN for GHCR push.

Right now the push auth uses a PAT via secrets.CONTAINER_BUILD_TOKEN (Lines 51–56). If you keep PAT auth, the job’s GITHUB_TOKEN doesn’t need packages: write. Reduce blast radius by removing that grant here. Alternatively, drop the PAT and push with GITHUB_TOKEN, in which case packages: write is appropriate.

Option A (keep PAT; least privilege on GITHUB_TOKEN):

     permissions:
       contents: read
-      packages: write
+      # packages not needed when authenticating to GHCR with PAT (docker/login-action)
+      # packages: write

Option B (use GITHUB_TOKEN for GHCR; remove PAT secret usage):

-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ secrets.CONTAINER_BUILD_TOKEN }}
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}

Note: Option B requires keeping permissions.packages: write. Your existing “only push on main and when PUBLISH_DOCKER_IMAGE=='true'” guard helps mitigate exposure on PRs from forks.

.github/workflows/devcontainer-azurertos.yaml (1)

24-26: Reassess need for packages: write given PAT-based login.

As in the “all” workflow, you authenticate to GHCR using a PAT (Lines 51–56). If retaining PAT auth, the job’s GITHUB_TOKEN doesn’t need packages: write. Trim it, or switch to GITHUB_TOKEN for login.

Option A (retain PAT; remove unnecessary packages grant):

     permissions:
       contents: read
-      packages: write
+      # packages: write

Option B (switch login to GITHUB_TOKEN; keep packages: write):

-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ secrets.CONTAINER_BUILD_TOKEN }}
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5504f4f and 27f38ad.

📒 Files selected for processing (7)
  • .github/workflows/devcontainer-all.yaml (1 hunks)
  • .github/workflows/devcontainer-azurertos.yaml (1 hunks)
  • .github/workflows/devcontainer-chibios.yaml (1 hunks)
  • .github/workflows/devcontainer-esp32.yml (1 hunks)
  • .github/workflows/devcontainer-freertos-nxp.yaml (1 hunks)
  • .github/workflows/devcontainer-smoketest.yaml (1 hunks)
  • .github/workflows/devcontainer-ti.yaml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)
  • GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
  • GitHub Check: nf-interpreter (Check_Build_Options)
  • GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
  • GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
  • GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
  • GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
  • GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
  • GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
  • GitHub Check: build-target (SL_STK3701A, Debug, All)
  • GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
  • GitHub Check: build-target (ESP32_C3, Debug, ESP32)
  • GitHub Check: build-target (ESP32_S3, Debug, ESP32)
  • GitHub Check: build-target (M5Core2, Debug, ESP32)
  • GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
  • GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
  • GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
  • GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
🔇 Additional comments (3)
.github/workflows/devcontainer-all.yaml (2)

24-26: Good move: explicit, job-scoped token permissions.

Setting least-privilege permissions at the job level aligns with GitHub’s guidance and avoids over-privileged defaults. Contents: read is necessary for checkout; packages permission is the only scope that could be contentious depending on auth strategy.

24-26: Sanity check across all workflows for consistent permissions policy

It looks like the fd invocation in the “missing permissions block” loop didn’t actually enumerate any files (it treated .github/workflows as a pattern rather than a directory). To catch any workflows that lack a permissions: block, please re-run with one of the following updated snippets:

#!/bin/bash
# List all workflows that declare a permissions block:
echo "Workflows with a permissions block:"
rg -nP '^\s*permissions\s*:' .github/workflows -g '*.yml' -g '*.yaml' \
  | sed 's/:.*//' | sort -u

# List all workflow files under .github/workflows and show those missing permissions:
echo -e "\nWorkflows missing a permissions block:"
for f in $(fd -t f -e yml -e yaml .github/workflows); do
  if ! rg -qP '^\s*permissions\s*:' "$f"; then
    echo "$f"
  fi
done

—or using find if you prefer:—

#!/bin/bash
echo "Workflows with a permissions block:"
rg -nP '^\s*permissions\s*:' .github/workflows -g '*.yml' -g '*.yaml' \
  | sed 's/:.*//' | sort -u

echo -e "\nWorkflows missing a permissions block:"
find .github/workflows -type f \( -name '*.yml' -o -name '*.yaml' \) | while read f; do
  if ! rg -qP '^\s*permissions\s*:' "$f"; then
    echo "$f"
  fi
done

Once you’ve rerun this, we’ll have a complete view of which workflows still need a permissions: block added or updated.

.github/workflows/devcontainer-azurertos.yaml (1)

24-26: Good: explicit permissions applied at the job level.

This matches least-privilege best practices; contents: read is required for checkout.

coderabbitai[bot]
coderabbitai bot reviewed Aug 24, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (1)
.github/workflows/devcontainer-smoketest.yaml (1)

38-93: Authenticate to GHCR before the devcontainers build or pulls may 401.

Even with packages: read granted to GITHUB_TOKEN, the runner must still log in to ghcr.io for private org images. Add a GHCR login step before invoking devcontainers/ci.

Apply this diff to insert the login step right before the build:

       - name: Adjust devcontainer.json for ${{ matrix.container }} source
         run: |
           # Move into the .devcontainer directory
           pushd .devcontainer/${{ matrix.container }}

           # Target the dockerfile source.
           sed -i -- 's|"dockerFile": "Dockerfile.${{ matrix.container }}"|"dockerFile": "Dockerfile.${{ matrix.container }}.SRC"|g' devcontainer.json

           # Move out of the .devcontainer directory
           popd

+      - name: Log into GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build ${{ matrix.target }} ${{ matrix.build-type }} Firmware
         uses: devcontainers/[email protected]
         with:
           configFile: ./.devcontainer/${{ matrix.container }}/devcontainer.json
           push: never
           runCmd: |
             # Build target:
             cmake --preset=${{ matrix.target }} -DCMAKE_BUILD_TYPE=${{ matrix.build-type }}
             cmake --build build

Run this to confirm whether GHCR images used by the devcontainers require auth (HTTP 401 implies private):

#!/bin/bash
set -euo pipefail

echo "Detecting GHCR references in devcontainer Dockerfiles and devcontainer.json..."
rg -n --glob '.devcontainer/**/Dockerfile.*.SRC' -e '^\s*FROM\s+ghcr\.io' -C1 || true
rg -n --glob '.devcontainer/**/devcontainer.json' -e '"image"\s*:\s*".*ghcr\.io' || true

echo -e "\nProbing a representative set of GHCR images for public access (expects 401 if private):"
imgs=$(rg -N --no-filename --glob '.devcontainer/**/Dockerfile.*.SRC' -oP '^\s*FROM\s+\Kghcr\.io/[^\s:]+' | sort -u \
  ; rg -N --no-filename --glob '.devcontainer/**/devcontainer.json' -oP '"image"\s*:\s*"\Kghcr\.io/[^":]+' | sort -u) || true

mapfile -t images < <(printf '%s\n' "$imgs" | sed 's/$/:latest/' | sort -u)

for ref in "${images[@]}"; do
  name=${ref%:*}
  tag=${ref#*:}
  url="https://ghcr.io/v2/${name#ghcr.io/}/manifests/$tag"
  code=$(curl -s -o /dev/null -w "%{http_code}" -H "Accept: application/vnd.oci.image.manifest.v1+json" "$url")
  echo "$ref -> HTTP $code"
done

echo -e "\nIf you see HTTP 401 for any, the GHCR login step above is mandatory."
🧹 Nitpick comments (1)
.github/workflows/devcontainer-smoketest.yaml (1)

39-45: Pin third-party actions to commit SHAs for supply-chain hardening.

Avoid floating tags like @main, @v4, @v0.3. Pin to a verified commit SHA and optionally keep the tag as a comment for readability.

Example:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c1235 # v4.1.7

-      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@2a1b3e4f8b5a1c0d8e2f0f1e0a9b7c6d5e4f3a2b # main at time of pin

-      - name: Build ${{ matrix.target }} ${{ matrix.build-type }} Firmware
-        uses: devcontainers/[email protected]
+      - name: Build ${{ matrix.target }} ${{ matrix.build-type }} Firmware
+        uses: devcontainers/ci@c1d2e3f4a5b6c7d8e9f00112233445566778899a # v0.3

If you want, I can open a separate PR to pin these across all workflows.

Also applies to: 85-86

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 27f38ad and 75356d3.

📒 Files selected for processing (1)
  • .github/workflows/devcontainer-smoketest.yaml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)
  • GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
  • GitHub Check: nf-interpreter (Check_Build_Options)
  • GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
  • GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
  • GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
  • GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
  • GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
  • GitHub Check: build-target (ESP32_C3, Debug, ESP32)
  • GitHub Check: build-target (ESP32_S3, Debug, ESP32)
  • GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
  • GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
  • GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
  • GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
  • GitHub Check: build-target (M5Core2, Debug, ESP32)
  • GitHub Check: build-target (SL_STK3701A, Debug, All)
  • GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
  • GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
  • GitHub Check: Analyze (actions)
🔇 Additional comments (1)
.github/workflows/devcontainer-smoketest.yaml (1)

34-36: Good move to least-privilege: packages: read fits this smoketest job.

For a job that only pulls GHCR images and never pushes, contents: read + packages: read is the right minimal scope. No issues here.

@networkfusion
Update devcontainer-smoketest.yaml
0a68fb3 
Adjust to add docker login.
@networkfusion
Remove package write based on AI feedback.
eb6b4df 
This uses a different PAT.
josesimoes
josesimoes approved these changes Aug 24, 2025
View reviewed changes
Copy link
Member

@josesimoes josesimoes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@josesimoes josesimoes requested a review from Copilot August 24, 2025 19:54
Copilot AI reviewed Aug 24, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds explicit permissions to GitHub Actions workflow jobs for devcontainer build processes. The changes follow GitHub's recommendation to explicitly define job-level permissions instead of relying on default permissions.

  • Added contents: read permission to all devcontainer build jobs
  • Added packages: read permission to the smoketest job
  • Added Docker login step to the smoketest workflow for GHCR authentication

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/devcontainer-all.yaml Added explicit contents: read permission to build job
.github/workflows/devcontainer-azurertos.yaml Added explicit contents: read permission to build job
.github/workflows/devcontainer-chibios.yaml Added explicit contents: read permission to build job
.github/workflows/devcontainer-esp32.yml Added explicit contents: read permission to build job
.github/workflows/devcontainer-freertos-nxp.yaml Added explicit contents: read permission to build job
.github/workflows/devcontainer-ti.yaml Added explicit contents: read permission to build job
.github/workflows/devcontainer-smoketest.yaml Added contents: read and packages: read permissions, plus Docker login step

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@networkfusion networkfusion changed the title Add explicit permissions for jobs Add explicit permissions for CI jobs Aug 24, 2025
@networkfusion
Update devcontainer-smoketest.yaml
6d7bbf3 
Since we build this from scratch, there should be no need to login to GHCR.
@networkfusion networkfusion merged commit 316f6e9 into main Aug 24, 2025
23 checks passed
@networkfusion networkfusion deleted the add-job-permissions branch August 24, 2025 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@josesimoes josesimoes josesimoes approved these changes

Assignees

No one assigned

Labels

Area: Config-and-Build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@networkfusion @josesimoes @nfbot