Conversation
Add missing permissions for the Report job to download artifacts (actions:read) and upload SARIF results (security-events:write). Also add top-level permissions block and align spelling job permissions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
🟡 warning — Top-level pull-requests: write grants write access to all jobs by default, but the spelling job only needs pull-requests: read. The job-level permission should take precedence, but having a broader top-level permission is misleading and could be a risk if new jobs are added without explicit permissions. Consider setting the top-level to pull-requests: read and only granting write at the job level where needed (i.e., the comment job).
| pull-requests: read | ||
| actions: read | ||
| security-events: write | ||
| outputs: |
There was a problem hiding this comment.
🔵 suggestion — security-events: write is added to both the spelling and comment jobs. This is unusual for a spell-check workflow. If the underlying action (check-spelling) doesn't actually use the Security tab / code scanning alerts, this permission should be removed to follow the principle of least privilege.
| contents: write | ||
| actions: read | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
🟡 warning — The comment job's contents permission was downgraded from write to read. Make sure the check-spelling action's comment/follow-up step doesn't need to push commits (e.g., applying spelling fixes). If it only posts PR comments, read is correct; otherwise this will cause a permissions error at runtime.
Test Results 7 files ±0 44 suites ±0 1h 30m 49s ⏱️ -8s For more details on these failures, see this check. Results for commit d3846d5. ± Comparison against base commit fb35cc4. ♻️ This comment has been updated with latest results. |
1 participant
Summary
actions: readto the Report job so it can download artifacts from the spell check jobsecurity-events: writeto the Report job for SARIF uploadpermissionsblock for least-privilege defaultsTest plan
🤖 Generated with Claude Code