Skip to content

ci: declare permissions on lint, test, pr-comment, release#135

Open
arpitjain099 wants to merge 1 commit into
cloudflare:stagingfrom
arpitjain099:ci/add-permissions
Open

ci: declare permissions on lint, test, pr-comment, release#135
arpitjain099 wants to merge 1 commit into
cloudflare:stagingfrom
arpitjain099:ci/add-permissions

Conversation

@arpitjain099

Copy link
Copy Markdown

Adds explicit top-level permissions: to the four workflows still relying on default token scopes:

  • lint.yml + test.yml: contents: read. Pure CI — install deps, lint/build, run tests.
  • pr-comment.yml: contents: read + pull-requests: write. The step runs gh pr comment$PR_NUMBER --body ... with GITHUB_TOKEN; pull-requests: write is the documented scope for the comments API.
  • release.yml: contents: write + issues: write + pull-requests: write. npx semantic-release creates the GitHub release/tag and posts the released-issue/PR comments. The final git push --set-upstream origin staging step also needs contents: write. The npm publish step uses NPM_PUBLISH_TOKEN, not the GitHub token.

Already-hardened siblings (ai-pr-review.yml, bonk.yml, update-docs.yml) follow the same top-level approach. YAML validated with yaml.safe_load.

@arpitjain099

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

@arpitjain099

Copy link
Copy Markdown
Author

Hi @ravindra-cloudflare, gentle ping on this. PR has been open for 4 days without review. I noticed you've been on the recent-merger side of recent merges in this repo. When you have a moment, would you mind giving it a quick look? No urgency. Happy to address any feedback.

@ravindra-cloudflare

Copy link
Copy Markdown
Collaborator

We are working on setting up trusted published and staged releases. We are parking this PR till then. It will be picked and merged after that.

@arpitjain099

Copy link
Copy Markdown
Author

Thanks @ravindra-cloudflare, appreciate the heads up - no rush on my side, happy to wait until the trusted publishing work lands.

lint.yml and test.yml are read-only and only need contents: read.

pr-comment.yml runs `gh pr comment` against the PR, so it gets
contents: read + pull-requests: write.

release.yml runs semantic-release (creates GH releases, tags, comments
on issues/PRs about the release) and pushes main onto staging, so it
needs contents: write + issues: write + pull-requests: write. The npm
publish step uses NPM_PUBLISH_TOKEN, not GITHUB_TOKEN.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants