Skip to content

chore: set default permissions to least-privilege for workflow jobs#19

Merged
twangodev merged 1 commit intomainfrom
chore/gha-permissions
Apr 9, 2026
Merged

chore: set default permissions to least-privilege for workflow jobs#19
twangodev merged 1 commit intomainfrom
chore/gha-permissions

Conversation

@twangodev
Copy link
Copy Markdown
Owner

@twangodev twangodev commented Apr 9, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Enhanced build process security by implementing stricter default permission controls with least-privilege access.

Copilot AI review requested due to automatic review settings April 9, 2026 17:24
@twangodev twangodev enabled auto-merge (squash) April 9, 2026 17:25
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 9, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5c64d0ac-6ebd-4f4b-9674-35cd293da055

📥 Commits

Reviewing files that changed from the base of the PR and between b011659 and f87d1ff.

📒 Files selected for processing (1)
  • .github/workflows/build.yml
📝 Walkthrough

Walkthrough

Added a workflow-level permissions block to the GitHub Actions build workflow, setting default least-privilege access to contents: read. Existing job-level permission overrides for test and inspectCode jobs remain unchanged.

Changes

Cohort / File(s) Summary
GitHub Actions Security Configuration
.github/workflows/build.yml		 Added workflow-level permissions: { contents: read } to establish default least-privilege access for all jobs, while preserving existing job-level permission overrides.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through workflows with care,
Permissions trimmed with security flair,
Read-only by default, least privilege shown,
Safe repos and secrets, now fully grown! 🐰🔐

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and clearly describes the main change: adding a workflow-level permissions block with default least-privilege access (contents: read) to .github/workflows/build.yml.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/gha-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Sets an explicit least-privilege default for GITHUB_TOKEN permissions in the Build GitHub Actions workflow, reducing the baseline access level for jobs that don’t need elevated scopes.

Changes:

  • Adds a workflow-level permissions block defaulting to contents: read.
  • Relies on existing job-level permission overrides (e.g., test, inspectCode) where broader access is required.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@twangodev twangodev merged commit aec46d1 into main Apr 9, 2026
14 checks passed
@twangodev twangodev deleted the chore/gha-permissions branch April 9, 2026 17:27
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 9, 2026

Qodana Community for JVM

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

To get *.log files or any other Qodana artifacts, run the action with upload-result option set to true,
so that the action will upload the files as the job artifacts:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2025.1.1
        with:
          upload-result: true
Contact Qodana team

Contact us at qodana-support@jetbrains.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@twangodev