ci: harden GitHub Actions workflow permissions

[wwwillchen-bot]

Summary

• Set top-level permissions: {} on 7 workflows to restrict default token permissions, moving grants to job level with least-privilege scoping
• Pinned CLA Assistant action to commit SHA (ca4a40a7d...) instead of mutable tag for supply-chain safety
• Mitigated prompt injection in the issue triage workflow by passing issue data via environment variables instead of direct template interpolation, with an explicit security notice

Test plan

• Verify CLA workflow still posts status comments on PRs (permissions moved to job level)
• Verify issue triage workflow still labels and comments on new issues (env var approach)
• Verify PR review, rebase, bugbot, and closed-issue-comment workflows still trigger correctly with restricted top-level permissions
• Confirm no permission errors in workflow runs

🤖 Generated with Claude Code

---

[wwwillchen]

@BugBot run

[cubic-dev-ai]

No issues found across 8 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[github-actions]

🔍 Dyadbot Code Review Summary

Verdict: ✅ YES - Ready to merge

Reviewed by 3 independent agents: Correctness Expert, Code Health Expert, UX Wizard.

Issues Summary

Severity	File	Issue
🟡 MEDIUM	.github/workflows/claude-check-workflows.yml	Missing top-level permissions: {} unlike all other hardened workflows
🟢 LOW	.github/workflows/claude-triage.yml:96	Issue number still directly interpolated despite env var migration

🟢 Low Priority Notes (1 item)

• Inconsistent interpolation of issue number - .github/workflows/claude-triage.yml:96 - ${{ github.event.issue.number }} is still directly interpolated in the duplicate search prompt, even though ISSUE_NUMBER env var was created for this purpose. Not a security risk (always an integer), but inconsistent with the env var migration approach.

🚫 Dropped False Positives (2 items)

• github.repository still directly interpolated - Dropped: github.repository is not user-controlled input; moving it to an env var adds complexity for zero security benefit.
• Dropped actions:write may break CLA workflow - Dropped: The CLA Assistant's core operations (status checks, PR comments, content writes) are covered by statuses:write, pull-requests:write, and contents:write. actions:write is typically for re-running workflows, which CLA doesn't require.

---

Generated by Dyadbot multi-agent code review

[greptile-apps]

Greptile Summary

This PR successfully hardens GitHub Actions workflow security across 8 workflows by applying least-privilege principles: adding top-level permissions: {} blocks to deny default GITHUB_TOKEN grants and moving necessary permissions to the job level, pinning the CLA Assistant action to a commit SHA (ca4a40a7d...) for supply-chain safety, and mitigating prompt-injection risk in the issue triage workflow by passing untrusted issue data through environment variables.

Key finding: The GitHub App token in pr-review-responder.yml still requests permission-actions: write even though the workflow makes no Actions API calls (only issues and pull-requests API calls). This is unnecessary over-permission that violates the least-privilege principle and should be removed.

Confidence Score: 4/5

• Safe to merge — security hardening is applied consistently with only one minor overpermissioning issue identified and easily fixable.
• The PR successfully applies least-privilege principles across all 8 workflows. All changes are additive security hardening with no functional regressions. Supply-chain safety is improved by pinning actions to commit SHAs, and prompt-injection risk is mitigated through environment variable passing. One concrete issue remains: permission-actions: write on the GitHub App token in pr-review-responder.yml is unused and should be removed to maintain consistency with the PR's least-privilege goals.
• .github/workflows/pr-review-responder.yml

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["GitHub Actions Security Hardening"] --> B["7 Workflows: Top-level permissions: {}"]
    A --> C["1 Workflow: Job-level scoping only"]
    
    B --> B1["bugbot-trigger"]
    B --> B2["cla"]
    B --> B3["claude-pr-review"]
    B --> B4["claude-rebase"]
    B --> B5["claude-triage"]
    B --> B6["closed-issue-comment"]
    B --> B7["pr-review-responder"]
    
    C --> C1["claude-check-workflows"]
    C1 --> C1A["Job perms: contents:read, issues:write ✓"]
    
    B2 --> PIN["CLA action pinned to SHA ca4a40a7d ✓"]
    B5 --> MITIGATION["Issue data via env vars + security notice ✓"]
    
    B7 --> ISSUE["⚠ permission-actions:write unused"]
    ISSUE --> FIX["Remove permission-actions:write"]
    
    style ISSUE fill:#ffcccc
    style FIX fill:#ffe6e6
    style PIN fill:#ccffcc
    style MITIGATION fill:#ccffcc

Loading

Comments Outside Diff (1)

1. .github/workflows/pr-review-responder.yml, line 43 (link)

   Remove unnecessary permission-actions: write from the GitHub App token. This workflow makes no Actions API calls (triggering/re-running/cancelling workflows), only pull-requests and issues API calls. This permission violates the least-privilege principle being applied throughout this PR.

_{Last reviewed commit: 39ab36d}

[github-actions]

❌ Claude Code partially completed

Summary

• Fixed 1 review comment (added top-level permissions: {} to claude-check-workflows.yml)
• Resolved 1 review thread from github-actions
• All CI checks were already passing — no CI fixes needed
• Push failed: The GitHub App installation token lacks workflows permission, and the PAT belongs to a suspended account. The commit is ready locally but could not be pushed.

Error Details

Push error (ghs_ token): remote rejected — refusing to allow a GitHub App to create or update workflow without workflows permission.

Push error (PAT token): remote — Your account is suspended.

Local commit: b6f13b6 ci: add top-level permissions: {} to claude-check-workflows.yml

The fix adds permissions: {} at the workflow level in .github/workflows/claude-check-workflows.yml, consistent with all other hardened workflows in this PR.

[wwwillchen]

@BugBot run

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 39ab36df64

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Align triage prompt commands with allowed tool policy

The updated triage prompt now instructs Claude to read context via echo "$ISSUE_NUMBER", echo "$ISSUE_TITLE", etc., but this same workflow restricts tools to Bash(gh issue:*),Bash(gh search:*), which does not include plain echo. When Claude follows the new instructions literally, the context-read step can be blocked, and triage may fail or run without the intended issue content, leading to incorrect labels/comments on new issues.

Useful? React with 👍 / 👎.

[dyad-assistant]

🔍 Dyadbot Code Review Summary

Verdict: ✅ YES - Ready to merge

Reviewed by 3 independent agents: Correctness Expert, Code Health Expert, UX Wizard.

Issues Summary

No HIGH or MEDIUM issues found. All changes are well-structured security hardening.

🟢 Low Priority Notes (3 items)

• Comment inaccuracy: "read-only" vs no permissions - .github/workflows/cla.yml:8 - The comment says "Restrict default permissions to read-only" but permissions: {} grants zero permissions, not read-only. Other workflows in this PR use the accurate phrasing "Restrict default permissions".
• Consider printenv over echo for reading untrusted env vars - .github/workflows/claude-triage.yml:56 - The prompt instructs Claude to use echo "$ISSUE_BODY". While safe in practice (bash doesn't re-scan variable values for command substitution), printenv ISSUE_BODY is a more robust pattern that avoids edge cases with echo (e.g., values starting with -).
• REPO still directly interpolated - .github/workflows/claude-triage.yml:57 - ${{ github.repository }} is still template-interpolated while other values were moved to env vars. Not a security risk (not user-controlled), but slightly inconsistent with the env var migration approach.

🚫 Dropped False Positives (1 item)

• Dropped actions:write may break CLA workflow - Dropped: The CLA Assistant's core operations (status checks, PR comments, content writes) are covered by statuses:write, pull-requests:write, and contents:write. actions:write is for managing workflow runs, which CLA doesn't require.

---

Generated by Dyadbot multi-agent code review

[github-actions]

🎭 Playwright Test Results

❌ Some tests failed

OS	Passed	Failed	Flaky	Skipped
🍎 macOS	386	1	5	123
🪟 Windows	387	4	6	123

Summary: 773 passed, 5 failed, 11 flaky, 246 skipped

Failed Tests

🍎 macOS

• setup_flow.spec.ts > Setup Flow > node.js install flow
  • TimeoutError: locator.click: Timeout 30000ms exceeded.

🪟 Windows

• github.spec.ts > create and sync to new repo
  • Error: expect(locator).toHaveClass(expected) failed
• github.spec.ts > create and sync to new repo - custom branch
  • TimeoutError: locator.click: Timeout 30000ms exceeded.
• github.spec.ts > create and sync to existing repo
  • Error: expect(locator).toMatchAriaSnapshot(expected) failed
• github.spec.ts > create and sync to existing repo - custom branch
  • Error: expect(locator).toMatchAriaSnapshot(expected) failed

📋 Re-run Failing Tests (macOS)

Copy and paste to re-run all failing spec files locally:

npm run e2e \
  e2e-tests/setup_flow.spec.ts

⚠️ Flaky Tests

🍎 macOS

• concurrent_chat.spec.ts > concurrent chat (passed after 1 retry)
• engine.spec.ts > regular auto should send message to engine (passed after 1 retry)
• git_collaboration.spec.ts > Git Collaboration > should create, switch, rename, merge, and delete branches (passed after 1 retry)
• mcp.spec.ts > mcp - call calculator via http (passed after 1 retry)
• setup_flow.spec.ts > Setup Flow > setup banner shows correct state when node.js is installed (passed after 1 retry)

🪟 Windows

• chat_input.spec.ts > send button disabled during pending proposal - reject (passed after 2 retries)
• context_limit_banner.spec.ts > context limit banner shows 'running out' when near context limit (passed after 1 retry)
• edit_code.spec.ts > edit code (passed after 1 retry)
• edit_code.spec.ts > edit code edits the right file (passed after 1 retry)
• git_collaboration.spec.ts > Git Collaboration > should create, switch, rename, merge, and delete branches (passed after 2 retries)
• setup_flow.spec.ts > Setup Flow > setup banner shows correct state when node.js is installed (passed after 1 retry)

---

📊 View full report