zbhan
|
e7e5c7b710
|
fix comment
|
2025-11-02 22:55:27 -05:00 |
|
zbhan
|
7a43f25858
|
Fix validation logic
|
2025-11-02 22:49:43 -05:00 |
|
zbhan
|
88240019ec
|
Fix validation
|
2025-11-02 22:24:31 -05:00 |
|
zbhan
|
75115ac747
|
Fix backend check
|
2025-11-02 22:15:45 -05:00 |
|
zbhan
|
0500cf7486
|
Fix validation error
|
2025-11-02 22:11:24 -05:00 |
|
zbhan
|
7cbef0fd65
|
fix(workflow): fix github workflow
|
2025-11-02 21:49:59 -05:00 |
|
Luna Martinez
|
9f2993b67f
|
Change permissions from read to write for contents
|
2025-11-02 21:15:31 -05:00 |
|
tangmengqiu
|
9486a0df40
|
fix(ci): Add comprehensive permissions to pr-checks workflow
Add workflow-level default permissions and explicit per-job permissions
following the principle of least privilege:
Workflow-level (default):
- contents: read - Read repository contents
- pull-requests: write - Manage PR labels and comments
- issues: write - Manage issues (PRs are issues in GitHub API)
Job-level overrides:
- validate-pr: Inherits workflow defaults (needs issue/PR write access)
- backend-tests: Downgrade to read-only (no write operations needed)
- frontend-tests: Downgrade to read-only (no write operations needed)
- auto-label: Add missing issues:write (labeler operates on PR issues)
- security-check: Add security-events:write (upload SARIF results)
- secrets-check: Downgrade to read-only (scanning only)
- all-checks: Downgrade to read-only (status checking only)
This fixes:
1. Potential 403 errors when auto-label tries to add labels to PR issues
2. Missing permission for uploading security scan results
3. Overly permissive access for read-only jobs
Related: #282
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
|
2025-11-02 18:23:28 -05:00 |
|
zbhan
|
c084de7277
|
fix: github workflow permission
|
2025-11-01 22:25:32 -04:00 |
|
zbhan
|
9a604f9b27
|
feat: pr validation
|
2025-11-01 18:25:44 -04:00 |
|