Skip to content

feat: scope CI workflow permissions to least privilege#50

Merged
Svilen-Stefanov merged 1 commit into
mainfrom
codeboarding/setup-action
Jun 30, 2026
Merged

feat: scope CI workflow permissions to least privilege#50
Svilen-Stefanov merged 1 commit into
mainfrom
codeboarding/setup-action

Conversation

@Svilen-Stefanov

@Svilen-Stefanov Svilen-Stefanov commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Move workflow permissions to job level (least privilege) in both dogfood workflows:

  • codeboarding.yml (review): workflow-level permissions: {}; the review job requests contents: read + pull-requests: write + issues: write. Review mode reads the repo and committed baseline and posts a PR comment — it does not commit generated files back to the branch (that is sync mode only), so contents drops from writeread.
  • codeboarding-sync.yml (sync): workflow-level permissions: {}; the sync job keeps contents: write (it pushes the regenerated baseline).

uses: ./ dogfooding and the CodeBoarding App-token identity are kept intact — this repo must run the action code under review, not the published release.

Why this was conflicting

This PR was auto-generated by the webview setup-action onboarding flow on a stale base. Meanwhile main's history was rewritten (force-pushed), leaving the original branch with no common ancestor to current main — so every file conflicted. The branch has been rebuilt directly on top of current main, which resolves the conflicts.

Release

This is intentionally a feat: so release-please proposes a release. It also carries the already-merged codeboarding 0.12.5 engine bump (#49) into that release — release-please missed #49 because its squash-merge title lacked a Conventional Commit prefix.

Note: deviates from the canonical consumer template by omitting id-token: write — this repo authenticates with its own OPENROUTER_API_KEY, so an OIDC token would be an unused write-scoped grant.

Move permissions to job level; review mode drops contents:write -> read
(it never pushes the baseline back to the PR branch - that is sync mode
only, see action.yml `mode` input). Keeps uses: ./ dogfooding and the
CodeBoarding App-token identity intact.

Rebuilt PR #50 onto current main to resolve the no-common-ancestor
conflicts left by main's history rewrite.

This feat: also carries the already-merged codeboarding 0.12.5 engine
bump (#49) into the next release, which release-please missed because
#49's squash title lacked a Conventional Commit prefix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Svilen-Stefanov Svilen-Stefanov force-pushed the codeboarding/setup-action branch from 7c4ed39 to 2cdc03e Compare June 30, 2026 19:59
@Svilen-Stefanov Svilen-Stefanov changed the title Add CodeBoarding architecture analysis feat: scope CI workflow permissions to least privilege Jun 30, 2026
@Svilen-Stefanov Svilen-Stefanov merged commit cb64c17 into main Jun 30, 2026
2 checks passed
@Svilen-Stefanov Svilen-Stefanov deleted the codeboarding/setup-action branch June 30, 2026 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant