Skip to content

fix(workflow): Fix permission issue with github app and PR draft graphql endpoint #5887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stephanie-anderson merged 1 commit into from
Mar 26, 2026

use default token that is supported by the graphql endpoint

65188b2
Select commit
Loading
Failed to load commit list.
Merged

fix(workflow): Fix permission issue with github app and PR draft graphql endpoint #5887

use default token that is supported by the graphql endpoint
65188b2
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: find-bugs completed Mar 26, 2026 in 29s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

Potentially excessive contents:write permission for draft PR conversion - `.github/workflows/enforce-draft-pr.yml:14`

The workflow adds contents: write permission alongside pull-requests: write for the pull_request_target trigger. The stated purpose is to convert a PR to draft using gh pr ready --undo, which typically only requires pull-requests: write. Granting contents: write on a pull_request_target workflow could allow unintended write access to repository contents, though this specific workflow doesn't appear to use it. If not required, this permission should be removed to follow the principle of least privilege.

Duration: 28.8s · Tokens: 38.7k in / 1.1k out · Cost: $0.08

Annotations

Check warning on line 14 in .github/workflows/enforce-draft-pr.yml

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: find-bugs

Potentially excessive contents:write permission for draft PR conversion 

The workflow adds `contents: write` permission alongside `pull-requests: write` for the `pull_request_target` trigger. The stated purpose is to convert a PR to draft using `gh pr ready --undo`, which typically only requires `pull-requests: write`. Granting `contents: write` on a `pull_request_target` workflow could allow unintended write access to repository contents, though this specific workflow doesn't appear to use it. If not required, this permission should be removed to follow the principle of least privilege.
View more details on @sentry/warden