From 2cdc03e0b18b0ffc82c93ebe368a5e1b5b0e56be Mon Sep 17 00:00:00 2001 From: Svilen Stefanov Date: Tue, 30 Jun 2026 21:59:13 +0200 Subject: [PATCH] feat: scope CI workflow permissions to least privilege Move permissions to job level; review mode drops contents:write -> read (it never pushes the baseline back to the PR branch - that is sync mode only, see action.yml `mode` input). Keeps uses: ./ dogfooding and the CodeBoarding App-token identity intact. Rebuilt PR #50 onto current main to resolve the no-common-ancestor conflicts left by main's history rewrite. This feat: also carries the already-merged codeboarding 0.12.5 engine bump (#49) into the next release, which release-please missed because #49's squash title lacked a Conventional Commit prefix. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/codeboarding-sync.yml | 7 +++++-- .github/workflows/codeboarding.yml | 16 ++++++++++------ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeboarding-sync.yml b/.github/workflows/codeboarding-sync.yml index c4127ab..5e625e6 100644 --- a/.github/workflows/codeboarding-sync.yml +++ b/.github/workflows/codeboarding-sync.yml @@ -32,8 +32,9 @@ on: required: false default: false -permissions: - contents: write # commit the generated baseline + docs to main +# No workflow-level permissions: the single job below requests only what it +# needs (least privilege), so the default token starts with none. +permissions: {} concurrency: # Serialize this workflow against itself: a push landing while a manual @@ -45,6 +46,8 @@ jobs: sync: runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: write # commit the generated baseline + docs to main steps: # Dogfood: run the action from the checked-out repo (uses: ./) so pushes to # main exercise the action code on main, not the last published release. diff --git a/.github/workflows/codeboarding.yml b/.github/workflows/codeboarding.yml index c23b46a..40b61d7 100644 --- a/.github/workflows/codeboarding.yml +++ b/.github/workflows/codeboarding.yml @@ -10,12 +10,9 @@ on: issue_comment: types: [created] -permissions: - # write: the action commits the generated .codeboarding/analysis.json back to the - # PR branch so the webview can open this PR's diff at the head SHA (same-repo PRs). - contents: write - pull-requests: write - issues: write +# No workflow-level permissions: the single job below requests only what it +# needs (least privilege), so the default token starts with none. +permissions: {} concurrency: group: codeboarding-${{ github.event.pull_request.number || github.event.issue.number }} @@ -27,6 +24,13 @@ jobs: review: runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + # Review mode reads the repo + committed baseline and posts a PR comment; + # it does NOT commit generated files back to the branch (that is sync mode + # only — see action.yml `mode` input). So contents stays read-only. + contents: read + pull-requests: write # post / update the architecture-diff PR comment + issues: write # the /codeboarding issue_comment trigger + comment API if: > (github.event_name == 'pull_request' && github.event.action != 'closed' && github.event.pull_request.draft == false) || (github.event_name == 'issue_comment' && github.event.issue.pull_request != null &&