Skip to content

chore: harden GitHub Actions permissions#1656

Merged
Timeless0911 merged 1 commit into
mainfrom
david/chore-actions-permissions
May 19, 2026
Merged

chore: harden GitHub Actions permissions#1656
Timeless0911 merged 1 commit into
mainfrom
david/chore-actions-permissions

Conversation

@Timeless0911
Copy link
Copy Markdown
Contributor

@Timeless0911 Timeless0911 commented May 19, 2026

Summary

  • Scope GitHub Actions token permissions to permissions: {} at the workflow level and grant only the required permissions per job.
  • Update the pinned ecosystem CI action commit while keeping external actions pinned to commit SHAs.
  • Document exact action versions in comments and disable setup-node package-manager caching for pnpm workflows.

Checklist

  • Tests updated (or not required).
  • Documentation updated (or not required).

Copilot AI review requested due to automatic review settings May 19, 2026 12:06
@Timeless0911 Timeless0911 requested a review from chenjiahan May 19, 2026 12:09
@Timeless0911 Timeless0911 enabled auto-merge (squash) May 19, 2026 12:09
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens GitHub Actions security by setting workflow-level permissions: {} and explicitly granting minimal permissions per job, while also refreshing pinned action metadata and disabling setup-node pnpm caching.

Changes:

  • Set workflow-level permissions: {} across CI workflows and re-add only required job-level permissions.
  • Update pinned action version comments (while keeping actions pinned to commit SHAs) and bump the pinned ecosystem CI action commit.
  • Disable actions/setup-node package-manager caching in pnpm-based workflows.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/test.yml Removes default workflow token permissions and grants contents: read per reusable-workflow job.
.github/workflows/reusable-test.yml Sets workflow token permissions to none by default, grants job-level contents: read, updates action version comments, disables package-manager cache.
.github/workflows/release.yml Scopes workflow permissions to none; grants job-level contents: read + id-token: write; updates action version comments; disables package-manager cache.
.github/workflows/preview.yml Scopes workflow permissions to none; grants job-level contents: read; updates action version comments; disables package-manager cache.
.github/workflows/lint.yml Scopes workflow permissions to none; grants job-level contents: read; updates action version comments; disables package-manager cache.
.github/workflows/ecosystem-ci.yml Scopes workflow permissions to none; adds job-level permissions and updates the pinned ecosystem CI action commit.
.github/workflows/benchmark.yml Adds workflow-level permissions: {} and updates commented action version annotations.

Comment thread .github/workflows/ecosystem-ci.yml
@Timeless0911 Timeless0911 merged commit 53c3c90 into main May 19, 2026
10 checks passed
@Timeless0911 Timeless0911 deleted the david/chore-actions-permissions branch May 19, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chenjiahan chenjiahan chenjiahan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Timeless0911 @chenjiahan