Commit Graph

10 Commits

Author SHA1 Message Date
zbhan
3a62c817b1 fix comment 2025-11-02 22:55:27 -05:00
zbhan
972e5fb21a Fix validation logic 2025-11-02 22:49:43 -05:00
zbhan
8caffefe54 Fix validation 2025-11-02 22:24:31 -05:00
zbhan
fe25327ada Fix backend check 2025-11-02 22:15:45 -05:00
zbhan
7d1b1b9245 Fix validation error 2025-11-02 22:11:24 -05:00
zbhan
397df5e386 fix(workflow): fix github workflow 2025-11-02 21:49:59 -05:00
Luna Martinez
7171ea3912 Change permissions from read to write for contents 2025-11-02 21:15:31 -05:00
tangmengqiu
3218c8dfcf fix(ci): Add comprehensive permissions to pr-checks workflow
Add workflow-level default permissions and explicit per-job permissions
following the principle of least privilege:

Workflow-level (default):
- contents: read - Read repository contents
- pull-requests: write - Manage PR labels and comments
- issues: write - Manage issues (PRs are issues in GitHub API)

Job-level overrides:
- validate-pr: Inherits workflow defaults (needs issue/PR write access)
- backend-tests: Downgrade to read-only (no write operations needed)
- frontend-tests: Downgrade to read-only (no write operations needed)
- auto-label: Add missing issues:write (labeler operates on PR issues)
- security-check: Add security-events:write (upload SARIF results)
- secrets-check: Downgrade to read-only (scanning only)
- all-checks: Downgrade to read-only (status checking only)

This fixes:
1. Potential 403 errors when auto-label tries to add labels to PR issues
2. Missing permission for uploading security scan results
3. Overly permissive access for read-only jobs

Related: #282

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: tinkle-community <tinklefund@gmail.com>
2025-11-02 18:23:28 -05:00
zbhan
8d172d0993 fix: github workflow permission 2025-11-01 22:25:32 -04:00
zbhan
a1bf54b952 feat: pr validation 2025-11-01 18:25:44 -04:00