ci: apply least-privilege permissions to all workflows#578
Merged
Conversation
Move write permissions from workflow-level to job-level to satisfy OpenSSF Scorecard Token-Permissions check. This follows the principle of least privilege - workflows default to read-all, and only specific jobs that need write access declare it. Changed workflows: - claude.yml: id-token: write moved to job level - claude-code-review.yml: consistent read-all at workflow level - codeql.yml: security-events: write moved to job level - labeler.yml: pull-requests: write moved to job level - pr-tests.yml: pull-requests: write, statuses: write moved to job level - release.yml: contents: write already at job level, workflow to read-all - stale.yml: issues: write, pull-requests: write moved to job level - unity-tests.yml: checks: write moved to job level Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com> Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
…tion Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
GitHub Actions doesn't allow job-level permissions to exceed workflow-level permissions. These workflows need write permissions at workflow level because multiple jobs require them. Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com> Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
- Rename skip-tests job to 'Skip Unity Tests' for clarity - Add commit status creation when tests are skipped - Both run and skip scenarios now create 'Unity Tests' status This ensures the required status check works regardless of whether tests actually run or are skipped due to no relevant changes. Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com> Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
Unity Test Results✅ EditMode: All tests passed Unity Version: 2022.3.55f1 ✅ All tests passed! The PR is ready for review. View workflow run |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
read-all, and only specific jobs that need write access declare itChanged Workflows
claude.ymlid-token: writemoved to job levelclaude-code-review.ymlread-allat workflow levelcodeql.ymlsecurity-events: writemoved to job levellabeler.ymlpull-requests: writemoved to job levelpr-tests.ymlpull-requests: write,statuses: writemoved to job levelrelease.ymlcontents: writealready at job level, workflow changed toread-allstale.ymlissues: write,pull-requests: writemoved to job levelunity-tests.ymlchecks: writemoved to job levelImpact
This should resolve the Token-Permissions alerts in the OpenSSF Scorecard, improving the security score.
Test plan
🤖 Generated with Claude Code