Skip to content

ci: add least-privilege permissions to GitHub Actions workflows#3238

Merged
oliverlaz merged 4 commits into
masterfrom
ci/workflow-least-privilege-permissions
Jul 8, 2026
Merged

ci: add least-privilege permissions to GitHub Actions workflows#3238
oliverlaz merged 4 commits into
masterfrom
ci/workflow-least-privilege-permissions

Conversation

@peter-matkovski

@peter-matkovski peter-matkovski commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add explicit least-privilege permissions blocks to workflow files flagged by CodeQL.
  • Scopes derived from workflow operations (build, artifacts, Danger, release git push).
  • Resolves 6 open actions/missing-workflow-permissions alerts.

Linear

Test plan

  • CI green
  • Code scanning alerts close after merge

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow permissions to use clearer, scoped permission settings.
    • Restricted automation to read-only access for pull request checks where possible, while preserving required write access for CI tasks.
    • Improved consistency and security across repository automation workflows.

Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL
actions/missing-workflow-permissions alerts. Scopes are derived from
workflow operations (git push, artifact upload, Danger, release lanes).

Refs: APPSEC-164
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Three GitHub Actions workflows now declare explicit permissions blocks. ci.yml scopes the default token at workflow and job levels, while pr-check.yml and size.yml add top-level permissions for their events.

Changes

Workflow permissions hardening

Layer / File(s) Summary
Add explicit permissions to workflows
.github/workflows/ci.yml, .github/workflows/pr-check.yml, .github/workflows/size.yml
ci.yml adds workflow-level contents: read and pull-requests: read, plus actions: write on the build job; pr-check.yml adds contents: read and pull-requests: read; size.yml adds contents: read and pull-requests: write.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is missing the required Goal, Implementation details, and UI Changes sections from the template. Rewrite the PR description using the repo template, adding Goal, Implementation details, and UI Changes (or noting none).
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding least-privilege permissions to GitHub Actions workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflow-least-privilege-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 16-19: The workflow permissions are too broad because `actions:
write` is set at the top level, so scope it down to the `build` job that saves
the cache. Update the `build` job permissions to include `actions: write`, and
leave the other jobs with `actions: read` or no `actions` permission at all
while keeping the existing `contents` and `pull-requests` access as needed.

In @.github/workflows/size.yml:
- Around line 13-15: The workflow permissions are too restrictive for the
size-comment step, so update the permissions in the size workflow to allow the
compressed size action to post its PR comment. Adjust the workflow configuration
that defines the permissions block for the `preactjs/compressed-size-action@v2`
step so `pull-requests` has write access instead of read, and keep in mind
forked PRs will still be limited by GitHub’s read-only token behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 07aafd6c-cd18-4632-9155-5f68ec836148

📥 Commits

Reviewing files that changed from the base of the PR and between c89366b and 703f693.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • .github/workflows/pr-check.yml
  • .github/workflows/size.yml

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/size.yml Outdated
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.21%. Comparing base (c89366b) to head (23c1862).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3238      +/-   ##
==========================================
+ Coverage   85.18%   85.21%   +0.03%     
==========================================
  Files         505      505              
  Lines       15784    15784              
  Branches     5010     5010              
==========================================
+ Hits        13445    13451       +6     
+ Misses       2339     2333       -6     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@peter-matkovski peter-matkovski changed the title CI: add least-privilege permissions to GitHub Actions workflows ci: add least-privilege permissions to GitHub Actions workflows Jul 8, 2026
Scope actions: write to the build job that saves the cache, and grant
pull-requests: write so compressed-size-action can post PR comments.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Size Change: 0 B

Total Size: 880 kB

ℹ️ View Unchanged
Filename Size
dist/cjs/audioProcessing.js 1.74 kB
dist/cjs/channel-detail.js 22.9 kB
dist/cjs/emojis.js 2.56 kB
dist/cjs/index.js 292 kB
dist/cjs/mp3-encoder.js 814 B
dist/cjs/ReactPlayerWrapper.js 547 B
dist/cjs/useChannelHeaderOnlineStatus.js 41 kB
dist/cjs/useMessageComposerController.js 1.01 kB
dist/cjs/useNotificationApi.js 57.5 kB
dist/css/channel-detail.css 2.84 kB
dist/css/emoji-picker.css 178 B
dist/css/emoji-replacement.css 456 B
dist/css/index.css 41.4 kB
dist/es/audioProcessing.mjs 1.65 kB
dist/es/channel-detail.mjs 22.6 kB
dist/es/emojis.mjs 2.48 kB
dist/es/index.mjs 290 kB
dist/es/mp3-encoder.mjs 768 B
dist/es/ReactPlayerWrapper.mjs 485 B
dist/es/useChannelHeaderOnlineStatus.mjs 40.5 kB
dist/es/useMessageComposerController.mjs 935 B
dist/es/useNotificationApi.mjs 56.1 kB

compressed-size-action

@peter-matkovski peter-matkovski self-assigned this Jul 8, 2026
@oliverlaz oliverlaz merged commit 2c70879 into master Jul 8, 2026
13 of 14 checks passed
@oliverlaz oliverlaz deleted the ci/workflow-least-privilege-permissions branch July 8, 2026 14:16

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)

16-18: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add actions: read to the workflow permissions .github/workflows/ci.yml:16-18

Recover Build Output inherits the workflow token, so the cache restore step needs actions: read; otherwise it falls back to actions: none and the step fails. The build job already overrides this with actions: write.

🔒 Proposed fix
 permissions:
+  actions: read
   contents: read
   pull-requests: read
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 16 - 18, The workflow permissions
block is missing the `actions: read` scope needed by the `Recover Build Output`
cache restore step, so update the top-level permissions in the CI workflow to
include it while keeping the existing `contents: read` and `pull-requests: read`
settings. Make the change in the workflow permissions section so the inherited
token can access actions at read level, matching the build job’s override
behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 16-18: The workflow permissions block is missing the `actions:
read` scope needed by the `Recover Build Output` cache restore step, so update
the top-level permissions in the CI workflow to include it while keeping the
existing `contents: read` and `pull-requests: read` settings. Make the change in
the workflow permissions section so the inherited token can access actions at
read level, matching the build job’s override behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebb450dc-6f65-49a3-9a4b-b742801e8376

📥 Commits

Reviewing files that changed from the base of the PR and between 703f693 and 23c1862.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .github/workflows/size.yml

@stream-ci-bot

Copy link
Copy Markdown

🎉 This PR is included in version 14.8.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants