ci: set workflow permissions to read-only by default #693
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
No linked issues found. Please add the corresponding issues in the pull request description. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates workflow configurations to enforce read-only permissions by default at the workflow level while allowing granular write access at the job level, and it updates the CI workflow to ensure the latest Node minor/hotfix version is used.
- Added a workflow-level permissions block with "contents: read" in multiple workflow files.
- Overridden job-level permissions to allow specific write actions where needed.
- Modified branch filter definitions and enabled "check-latest" in the CI workflow for Node setup.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/release.yml | Added workflow-level read-only permissions and job-level write overrides |
| .github/workflows/notify-release.yml | Added workflow-level read-only permissions and set job permissions for notification job |
| .github/workflows/ci.yml | Updated branch filters, added default read permission, and enabled check-latest option |
| .github/workflows/check-linked-issues.yml | Added workflow-level read-only permissions and job-level permissions for linked issues |
Comments suppressed due to low confidence (1)
.github/workflows/check-linked-issues.yml:13
- The indentations of the permissions block in this file differ from the style used in the other workflow files. Please align the indentation levels consistently (e.g., child keys indented by two spaces relative to their parent) to avoid potential YAML parsing issues.
permissions:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is created by a script. Please check the changes prior to merging.
This PR adds permissions to the workflow and job level, making the workflows read-only by default, and allowing write access only at the job level via granular permissions. This is regularly flagged by CodeQL, Step Security, OSSF, and other security tools.
This change also allows the org to go read-only everywhere, see fastify/avvio#308 (comment).
This PR also sets
check-latestto true, so that theactions/setup-nodewill check it is using the latest minor or hotfix Node version and use that instead of its cached version, this stops an issue like with 22.5.0 that introduced a regression and actions were still using that instead of 22.5.1