Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions .github/workflows/codeboarding-sync.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,9 @@ on:
required: false
default: false

permissions:
contents: write # commit the generated baseline + docs to main
# No workflow-level permissions: the single job below requests only what it
# needs (least privilege), so the default token starts with none.
permissions: {}

concurrency:
# Serialize this workflow against itself: a push landing while a manual
Expand All @@ -45,6 +46,8 @@ jobs:
sync:
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: write # commit the generated baseline + docs to main
steps:
# Dogfood: run the action from the checked-out repo (uses: ./) so pushes to
# main exercise the action code on main, not the last published release.
Expand Down
16 changes: 10 additions & 6 deletions .github/workflows/codeboarding.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,9 @@ on:
issue_comment:
types: [created]

permissions:
# write: the action commits the generated .codeboarding/analysis.json back to the
# PR branch so the webview can open this PR's diff at the head SHA (same-repo PRs).
contents: write
pull-requests: write
issues: write
# No workflow-level permissions: the single job below requests only what it
# needs (least privilege), so the default token starts with none.
permissions: {}

concurrency:
group: codeboarding-${{ github.event.pull_request.number || github.event.issue.number }}
Expand All @@ -27,6 +24,13 @@ jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
# Review mode reads the repo + committed baseline and posts a PR comment;
# it does NOT commit generated files back to the branch (that is sync mode
# only — see action.yml `mode` input). So contents stays read-only.
contents: read
pull-requests: write # post / update the architecture-diff PR comment
issues: write # the /codeboarding issue_comment trigger + comment API
if: >
(github.event_name == 'pull_request' && github.event.action != 'closed' && github.event.pull_request.draft == false) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request != null &&
Expand Down
Loading