Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 1 addition & 8 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@ on:
- "v*.*.*"

# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
permissions:
contents: read
permissions: read-all

@cubic-dev-ai cubic-dev-ai Bot Mar 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: read-all is the wrong workflow default for this keyless migration: it widens GITHUB_TOKEN to every read scope, but still doesn't grant the workflow-level id-token: write that Chainloop documents for GitHub keyless auth.

(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.)

View Feedback

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 9:

<comment>`read-all` is the wrong workflow default for this keyless migration: it widens `GITHUB_TOKEN` to every read scope, but still doesn't grant the workflow-level `id-token: write` that Chainloop documents for GitHub keyless auth.

(Based on your team's feedback about checking auth/config changes for compatibility with related clients and workflows.) </comment>

<file context>
@@ -6,8 +6,7 @@ on:
 # https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
</file context>
Suggested change
permissions: read-all
permissions:
contents: read
id-token: write
Fix with Cubic

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're trying to standarize either permissions: read-all or permissions: {} for workflow level settings. Then every job overrides or sets job-specific permissions.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback! I've saved this as a new learning to improve future reviews.


jobs:
release_gate:
Expand All @@ -28,22 +27,17 @@ jobs:
chainloop attestation init --workflow release-gate --project chainloop
chainloop attestation push
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}

- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}

test:
uses: chainloop-dev/chainloop/.github/workflows/test.yml@d427768c0b07d50b485df0bcae87eb8ae8769e04
Expand All @@ -60,7 +54,6 @@ jobs:
id-token: write # required for SLSA provenance
attestations: write # required for SLSA provenance
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

steps:
Expand Down
Loading