ci: add least-privilege permissions to GitHub Actions workflows#3238
Conversation
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
📝 WalkthroughWalkthroughThree GitHub Actions workflows now declare explicit ChangesWorkflow permissions hardening
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 16-19: The workflow permissions are too broad because `actions:
write` is set at the top level, so scope it down to the `build` job that saves
the cache. Update the `build` job permissions to include `actions: write`, and
leave the other jobs with `actions: read` or no `actions` permission at all
while keeping the existing `contents` and `pull-requests` access as needed.
In @.github/workflows/size.yml:
- Around line 13-15: The workflow permissions are too restrictive for the
size-comment step, so update the permissions in the size workflow to allow the
compressed size action to post its PR comment. Adjust the workflow configuration
that defines the permissions block for the `preactjs/compressed-size-action@v2`
step so `pull-requests` has write access instead of read, and keep in mind
forked PRs will still be limited by GitHub’s read-only token behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 07aafd6c-cd18-4632-9155-5f68ec836148
📒 Files selected for processing (3)
.github/workflows/ci.yml.github/workflows/pr-check.yml.github/workflows/size.yml
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3238 +/- ##
==========================================
+ Coverage 85.18% 85.21% +0.03%
==========================================
Files 505 505
Lines 15784 15784
Branches 5010 5010
==========================================
+ Hits 13445 13451 +6
+ Misses 2339 2333 -6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Scope actions: write to the build job that saves the cache, and grant pull-requests: write so compressed-size-action can post PR comments. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Size Change: 0 B Total Size: 880 kB ℹ️ View Unchanged
|
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)
16-18: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winAdd
actions: readto the workflow permissions.github/workflows/ci.yml:16-18
Recover Build Outputinherits the workflow token, so the cache restore step needsactions: read; otherwise it falls back toactions: noneand the step fails. The build job already overrides this withactions: write.🔒 Proposed fix
permissions: + actions: read contents: read pull-requests: read🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 16 - 18, The workflow permissions block is missing the `actions: read` scope needed by the `Recover Build Output` cache restore step, so update the top-level permissions in the CI workflow to include it while keeping the existing `contents: read` and `pull-requests: read` settings. Make the change in the workflow permissions section so the inherited token can access actions at read level, matching the build job’s override behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 16-18: The workflow permissions block is missing the `actions:
read` scope needed by the `Recover Build Output` cache restore step, so update
the top-level permissions in the CI workflow to include it while keeping the
existing `contents: read` and `pull-requests: read` settings. Make the change in
the workflow permissions section so the inherited token can access actions at
read level, matching the build job’s override behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ebb450dc-6f65-49a3-9a4b-b742801e8376
📒 Files selected for processing (2)
.github/workflows/ci.yml.github/workflows/size.yml
|
🎉 This PR is included in version 14.8.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Summary
permissionsblocks to workflow files flagged by CodeQL.actions/missing-workflow-permissionsalerts.Linear
Test plan
Summary by CodeRabbit