Skip to content

Set least-privilege permissions on Build & Test workflow#22

Merged
PierreJanineh merged 2 commits into
developfrom
fix/workflow-permissions
May 31, 2026
Merged

Set least-privilege permissions on Build & Test workflow#22
PierreJanineh merged 2 commits into
developfrom
fix/workflow-permissions

Conversation

@PierreJanineh

@PierreJanineh PierreJanineh commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Member

📋 Description

CI hardening plus a small source-header cleanup.

  • Workflow permissions — resolves two CodeQL alerts (actions/missing-workflow-permissions, medium) by adding a top-level permissions: contents: read to build.yml. Both jobs only check out and build, so read-only is sufficient. (docs.yml already scoped its token.)
  • Test file headers — the three ProgressUITests files were created without the project's standard // Created by Pierre Janineh on … header block; added to match every other source file.

🔄 Type of Change

  • 🔧 Refactor or internal change (CI hardening)
  • 📝 Documentation update (file headers)

✅ How Has This Been Tested?

  • build.yml YAML validated (parses; permissions: {contents: read}, both jobs intact).
  • CI re-runs on this PR; CodeQL should clear the permissions alerts.

🤖 Generated with Claude Code

@PierreJanineh @claude
ci: set least-privilege permissions on Build & Test workflow
bb697b3 
Resolves CodeQL `actions/missing-workflow-permissions` alerts: declare a
top-level `permissions: contents: read` so the GITHUB_TOKEN isn't granted
broad default scopes. Both jobs only check out and build.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 31, 2026 04:36
Copilot AI reviewed May 31, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a top-level least-privilege permissions block to the Build & Test workflow to resolve CodeQL actions/missing-workflow-permissions alerts. Since both jobs only check out and build, contents: read is sufficient.

Changes:

  • Add top-level permissions: contents: read to .github/workflows/build.yml
  • Add explanatory comment about least-privilege GITHUB_TOKEN scoping

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@PierreJanineh @claude
style: add standard file header to ProgressUITests files
e1ec26f 
The three test files were created without the project's standard
"Created by Pierre Janineh on …" header block; add it to match every
other source file.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@PierreJanineh PierreJanineh merged commit 07b0b85 into develop May 31, 2026
10 checks passed
@PierreJanineh PierreJanineh deleted the fix/workflow-permissions branch May 31, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PierreJanineh