Skip to content

ci(cd): update workflow permissions#610

Merged
rhahao merged 1 commit intomainfrom
workflow-permissions
Jan 4, 2026
Merged

ci(cd): update workflow permissions#610
rhahao merged 1 commit intomainfrom
workflow-permissions

Conversation

@rhahao
Copy link
Member

@rhahao rhahao commented Jan 4, 2026

No description provided.

@vercel
Copy link

vercel bot commented Jan 4, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Review Updated (UTC)
docs-organized-app Ignored Ignored Jan 4, 2026 8:05am
sws2apps-orgs Ignored Ignored Jan 4, 2026 8:05am

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 4, 2026
edited
Loading

Walkthrough

The pull request refactors GitHub Actions workflow permissions across three security-focused workflows (CodeQL, njsscan, and Scorecards) by consolidating per-job permission declarations into global workflow-level permissions with explicit scopes.

Changes

Cohort / File(s) Summary
Workflow Permissions Refactoring
.github/workflows/code-ql.yml, .github/workflows/njsscan.yml, .github/workflows/scorecards.yml		 Migrated permission grants from per-job blocks to top-level workflow declarations. CodeQL: adds contents: read and security-events: write globally. njsscan: transitions to global contents: read and security-events: write. Scorecards: expands to granular id-token, contents, and security-events with explicit read/write permissions. All remove redundant per-job permission entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main changes: updating workflow permissions across three GitHub Actions workflow files from mixed per-job to global permissions.
Description check ✅ Passed No description was provided; however, the title is sufficiently clear and the changes are straightforward permission restructuring, making this acceptable.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b2ef0fd and 4ef9707.

📒 Files selected for processing (3)
  • .github/workflows/code-ql.yml
  • .github/workflows/njsscan.yml
  • .github/workflows/scorecards.yml
🔇 Additional comments (3)
.github/workflows/scorecards.yml (1)

10-13: Excellent security improvement! Permissions are correct and complete.

Replacing read-all with explicit, granular permissions is a significant security enhancement that follows the principle of least privilege. The three permissions are exactly what's needed for this workflow:

  • id-token: write is required for Scorecard's publish_results: true (OIDC token for publishing)
  • contents: read is needed for the checkout action
  • security-events: write is required for SARIF upload to code scanning

The ossf/scorecard-action will execute successfully with these permissions, and no additional permissions are needed for this configuration.

.github/workflows/njsscan.yml (1)

11-13: The workflow permissions are correct. The minimal permissions—contents: read and security-events: write—are exactly what this workflow requires.

The njsscan-action does not require actions: read permission; it only needs repository access to checkout code (already provided by contents: read). The SARIF upload step correctly uses security-events: write for uploading scan results to GitHub Security. This is a newly created workflow, so there was no previous per-job actions: read to consolidate.

.github/workflows/code-ql.yml (1)

11-13: LGTM! The minimal permissions are appropriate for a public repository CodeQL workflow.

The consolidated workflow-level permissions are correctly scoped. For public repositories, contents: read and security-events: write are sufficient for CodeQL analysis. The actions: read permission is recommended primarily for private repositories to avoid "Resource not accessible by integration" errors during SARIF uploads, but is not required for public repos. The current configuration appropriately follows the principle of least privilege.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@rhahao rhahao merged commit 85e1673 into main Jan 4, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhahao