Skip to content

Add explicit permissions to GitHub Actions workflows#1639

Merged
KOliver94 merged 2 commits into
mainfrom
fix-workflow-code-scanning-alerts
Apr 10, 2026
Merged

Add explicit permissions to GitHub Actions workflows#1639
KOliver94 merged 2 commits into
mainfrom
fix-workflow-code-scanning-alerts

Conversation

@KOliver94
Copy link
Copy Markdown
Owner

@KOliver94 KOliver94 commented Apr 10, 2026

Fixes CodeQL "Workflow does not contain permissions" alerts by declaring minimal GITHUB_TOKEN scopes on every workflow

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 10, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2064d52d-bf09-4972-8eff-7ea0e7126297

📥 Commits

Reviewing files that changed from the base of the PR and between 82b7673 and ec00d7e.

📒 Files selected for processing (1)
  • .github/workflows/backend.yml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/backend.yml
📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows were updated to declare top-level permissions blocks. Most workflows now set contents: read; one workflow (compress-images.yml) requests contents: write and pull-requests: write. No other job logic or exported/public code entities were changed.

Changes

Cohort / File(s) Summary
Read-only Workflows
.github/workflows/frontend-admin.yml, .github/workflows/frontend-base-workflow.yml, .github/workflows/frontend.yml, .github/workflows/schema-validation.yml, .github/workflows/backend.yml		 Added top-level permissions: contents: read to set repository contents access to read-only for these workflows. No job steps or logic changed.
Image Compression Workflow
.github/workflows/compress-images.yml		 Added workflow-level permissions.contents: write and permissions.pull-requests: write to allow writing repository contents and creating/updating pull requests. No other changes to jobs or steps.

Poem

🐰 I hopped through YAML, neat and bright,
I nudged permissions into sight,
Read by default, write when true,
A careful hop — that's what I do.
🥕✨

🚥 Pre-merge checks | ✅ 1
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Add explicit permissions to GitHub Actions workflows' directly and clearly summarizes the main change: adding permissions blocks to multiple GitHub Actions workflow files across the repository.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.37%. Comparing base (884fdf0) to head (ec00d7e).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1639   +/-   ##
=======================================
  Coverage   93.37%   93.37%           
=======================================
  Files          76       76           
  Lines        2386     2386           
  Branches      183      183           
=======================================
  Hits         2228     2228           
  Misses        132      132           
  Partials       26       26

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/backend.yml:
- Around line 31-32: Remove the unnecessary job-level write permission by
deleting the "contents: write" entry from the generate-lockfile job permissions;
the job uses the checkout step with secrets.PERSONAL_ACCESS_TOKEN and the
tj-actions/verify-changed-files action (read-only) and performs git push
authenticated by PERSONAL_ACCESS_TOKEN, so no job-level contents write
permission is required—remove that permission line to tighten permissions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bcafa8ce-cb2f-4ce2-8440-bace8f0541a6

📥 Commits

Reviewing files that changed from the base of the PR and between 368ee73 and 82b7673.

📒 Files selected for processing (6)
  • .github/workflows/backend.yml
  • .github/workflows/compress-images.yml
  • .github/workflows/frontend-admin.yml
  • .github/workflows/frontend-base-workflow.yml
  • .github/workflows/frontend.yml
  • .github/workflows/schema-validation.yml

Comment thread .github/workflows/backend.yml Outdated
@KOliver94 KOliver94 merged commit 8fd118f into main Apr 10, 2026
13 checks passed
@KOliver94 KOliver94 deleted the fix-workflow-code-scanning-alerts branch April 10, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KOliver94