mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-15 00:36:56 +08:00
fix(ci): Add comprehensive permissions to pr-checks workflow
Add workflow-level default permissions and explicit per-job permissions following the principle of least privilege: Workflow-level (default): - contents: read - Read repository contents - pull-requests: write - Manage PR labels and comments - issues: write - Manage issues (PRs are issues in GitHub API) Job-level overrides: - validate-pr: Inherits workflow defaults (needs issue/PR write access) - backend-tests: Downgrade to read-only (no write operations needed) - frontend-tests: Downgrade to read-only (no write operations needed) - auto-label: Add missing issues:write (labeler operates on PR issues) - security-check: Add security-events:write (upload SARIF results) - secrets-check: Downgrade to read-only (scanning only) - all-checks: Downgrade to read-only (status checking only) This fixes: 1. Potential 403 errors when auto-label tries to add labels to PR issues 2. Missing permission for uploading security scan results 3. Overly permissive access for read-only jobs Related: #282 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: tinkle-community <tinklefund@gmail.com>
This commit is contained in:
20
.github/workflows/pr-checks.yml
vendored
20
.github/workflows/pr-checks.yml
vendored
@@ -7,11 +7,18 @@ on:
|
|||||||
- dev
|
- dev
|
||||||
- main
|
- main
|
||||||
|
|
||||||
|
# Default permissions for all jobs (can be overridden per job)
|
||||||
|
permissions:
|
||||||
|
contents: read # Read repository contents
|
||||||
|
pull-requests: write # Manage PRs (labels, comments)
|
||||||
|
issues: write # Manage issues (PRs are issues)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# Validate PR title and description
|
# Validate PR title and description
|
||||||
validate-pr:
|
validate-pr:
|
||||||
name: Validate PR Format
|
name: Validate PR Format
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
# Inherits workflow-level permissions (contents: read, pull-requests: write, issues: write)
|
||||||
steps:
|
steps:
|
||||||
- name: Check PR title format
|
- name: Check PR title format
|
||||||
uses: amannn/action-semantic-pull-request@v5
|
uses: amannn/action-semantic-pull-request@v5
|
||||||
@@ -86,6 +93,8 @@ jobs:
|
|||||||
backend-tests:
|
backend-tests:
|
||||||
name: Backend Tests (Go)
|
name: Backend Tests (Go)
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read # Only need read access for testing
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@@ -138,6 +147,8 @@ jobs:
|
|||||||
frontend-tests:
|
frontend-tests:
|
||||||
name: Frontend Tests (React/TypeScript)
|
name: Frontend Tests (React/TypeScript)
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read # Only need read access for testing
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@@ -176,7 +187,9 @@ jobs:
|
|||||||
name: Auto Label PR
|
name: Auto Label PR
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
|
contents: read
|
||||||
pull-requests: write
|
pull-requests: write
|
||||||
|
issues: write # Required: PRs are issues, labeler needs to modify issue labels
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/labeler@v5
|
- uses: actions/labeler@v5
|
||||||
with:
|
with:
|
||||||
@@ -187,6 +200,9 @@ jobs:
|
|||||||
security-check:
|
security-check:
|
||||||
name: Security Scan
|
name: Security Scan
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write # Required: Upload SARIF results to GitHub Security
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@@ -209,6 +225,8 @@ jobs:
|
|||||||
secrets-check:
|
secrets-check:
|
||||||
name: Check for Secrets
|
name: Check for Secrets
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read # Only need read access for scanning
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@@ -226,6 +244,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [validate-pr, backend-tests, frontend-tests, security-check, secrets-check]
|
needs: [validate-pr, backend-tests, frontend-tests, security-check, secrets-check]
|
||||||
if: always()
|
if: always()
|
||||||
|
permissions:
|
||||||
|
contents: read # Only need read access for status checking
|
||||||
steps:
|
steps:
|
||||||
- name: Check all jobs
|
- name: Check all jobs
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
Reference in New Issue
Block a user