Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 1 addition & 8 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@ on:
- "v*.*.*"

# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
permissions:
contents: read
permissions: read-all

@cubic-dev-ai cubic-dev-ai Bot Mar 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Avoid read-all here; it broadens the default GITHUB_TOKEN for every job beyond what this workflow needs. Keep the top-level token limited and let the individual jobs request any extra scopes they require.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 9:

<comment>Avoid `read-all` here; it broadens the default `GITHUB_TOKEN` for every job beyond what this workflow needs. Keep the top-level token limited and let the individual jobs request any extra scopes they require.</comment>

<file context>
@@ -6,8 +6,7 @@ on:
 # https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
</file context>
Fix with Cubic


jobs:
release_gate:
Expand All @@ -28,22 +27,17 @@ jobs:
chainloop attestation init --workflow release-gate --project chainloop
chainloop attestation push
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}

- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}

test:
uses: chainloop-dev/chainloop/.github/workflows/test.yml@d427768c0b07d50b485df0bcae87eb8ae8769e04
Expand All @@ -60,7 +54,6 @@ jobs:
id-token: write # required for SLSA provenance
attestations: write # required for SLSA provenance
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

steps:
Expand Down
Loading