Skip to content

ci: fix DangerJS workflow permissions#4

Merged
espressif-bot merged 1 commit intomainfrom
fix/dangerjs-permissions
Mar 30, 2026
Merged

ci: fix DangerJS workflow permissions#4
espressif-bot merged 1 commit intomainfrom
fix/dangerjs-permissions

Conversation

@tomassebestik
Copy link
Copy Markdown
Member

@tomassebestik tomassebestik commented Mar 30, 2026

Security update: Modifies DangerJS workflow permissions from contents: write to contents: read.

Enable workflow .github/workflows/dangerjs.yml when this merged - currently disabled!

Copilot AI review requested due to automatic review settings March 30, 2026 07:25
@tomassebestik tomassebestik self-assigned this Mar 30, 2026
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts the GitHub Actions workflow permissions for the DangerJS PR linter to follow least-privilege by removing unnecessary write access to repository contents.

Changes:

  • Change workflow permissions.contents from write to read for the DangerJS job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/dangerjs.yml
Comment on lines 6 to +8
permissions:
pull-requests: write
contents: write
contents: read
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this workflow runs on pull_request_target and checks out the PR head SHA, any step/action that reads and executes repository content from the checkout could be influenced by untrusted fork PRs. Consider avoiding checkout of the head ref in a pull_request_target workflow (e.g., checkout the base ref instead, or have the action rely on the GitHub API), or otherwise harden the job so no PR-controlled code/config is executed.

Copilot uses AI. Check for mistakes.
@espressif-bot espressif-bot merged commit 2821f00 into main Mar 30, 2026
4 of 6 checks passed
@ydhub ydhub deleted the fix/dangerjs-permissions branch March 30, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@tomassebestik tomassebestik

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomassebestik @espressif-bot