You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Grant id-token: write to security-audit, add it to agent-managed list
claude-code-action requires id-token: write to fetch an OIDC token
for authenticating to the Claude API. Without it, the action fails
its first step and retries 3 times before giving up. Add the
permission so the action can complete.
While here, add security-audit.yaml to the agent-managed workflow
list in SECURITY.md. Previously only tend-*.yaml and
workflow-audit.yaml were enumerated; the new audit also runs
Claude-powered automation that needs issues:write, and the rule
"no non-agent write permissions other than release provenance"
would have flagged it otherwise.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: SECURITY.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ New npm package versions are not adopted immediately. The workspace uses pnpm's
23
23
24
24
GitHub Actions are always pinned by commit hash, not version tag. Dependabot will update the hashes as necessary.
25
25
26
-
The agent-managed workflows (`tend-*.yaml`and `workflow-audit.yaml`) are exempt from the two rules below because the maintainer agent's job requires modifying issues, PRs, and code. Their scope is bounded separately in the "Automated Maintainer" section.
26
+
The agent-managed workflows (`tend-*.yaml`, `workflow-audit.yaml`, and `security-audit.yaml`) are exempt from the two rules below because they run Claude-powered automation that requires modifying issues, PRs, or code, or fetching an OIDC token. Their scope is bounded separately in the "Automated Maintainer" section.
27
27
28
28
- FAIL IF `pull_request_target` appears in any `.github/workflows/**` file other than `tend-*.yaml`.
29
29
- FAIL IF a non-agent-managed workflow grants write permissions other than the explicitly scoped release provenance permissions `id-token: write` and `attestations: write`.
@@ -50,7 +50,7 @@ This repository runs the [tend](https://github.com/max-sixty/tend) agent harness
50
50
- FAIL IF `CHROMATIC_PROJECT_TOKEN` is missing from `secrets.allowed` in `.config/tend.yaml`. The allowlist entry is an explicit acknowledgment that the bot can read this token.
51
51
- FAIL IF `.github/workflows/workflow-audit.yaml` is missing, disabled, or has not produced a successful run in the last 48 hours.
52
52
- FAIL IF any `tend-*.yaml` workflow references `max-sixty/tend` with anything other than a pinned version tag matching a published release (e.g. `@0.0.25`). The other actions inside tend's workflows must still be SHA-pinned per the rule above. The tag-pin exception for `max-sixty/tend` itself is accepted because that reference is owned by the upstream generator.
53
-
- FAIL IF any agent-managed workflow (`tend-*.yaml`, `workflow-audit.yaml`) grants a permission beyond `contents: write`, `pull-requests: write`, `issues: write`, `id-token: write`, `actions: read`, or any `read` permission.
53
+
- FAIL IF any agent-managed workflow (`tend-*.yaml`, `workflow-audit.yaml`, `security-audit.yaml`) grants a permission beyond `contents: write`, `pull-requests: write`, `issues: write`, `id-token: write`, `actions: read`, or any `read` permission.
0 commit comments