chore: update GitHub Actions workflows for permissions and versioning#23
chore: update GitHub Actions workflows for permissions and versioning#23eloi010 wants to merge 3 commits into
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR tightens GitHub Actions security by explicitly setting minimal default GITHUB_TOKEN permissions at the workflow level and updates pinned action/workflow SHAs for reproducibility.
Changes:
- Add workflow-level
permissions: {}to reduce default token scopes. - Bump
actions/checkoutpin fromv6.0.2tov6.0.3in the test workflow. - Bump MetaMask security scanner reusable workflow pin from
v2.0.6tov2.1.0.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/security-code-scanner.yml | Adds workflow-level minimal permissions and updates the pinned reusable security scan workflow SHA. |
| .github/workflows/nft-resolver-tests.yml | Adds workflow-level minimal permissions and updates the pinned checkout action SHA for the CI test workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: {} | ||
|
|
||
| jobs: | ||
| nft-resolver-tests: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit beb06e3. Configure here.

chore: update GitHub Actions workflows for permissions and versioning
Note
Low Risk
CI workflow-only changes with least-privilege permissions and dependency pin updates; no application runtime impact.
Overview
Hardens GitHub Actions by setting workflow-level
permissions: {}onnft-resolver-testsandsecurity-code-scanner, so jobs only get the scopes they declare explicitly.For nft-resolver tests, the job now grants
contents: readandactions: write, bumpsactions/checkoutto v6.0.3, and setspersist-credentials: falseon checkout.For security scanning, the reusable MetaMask scanner workflow is bumped from v2.0.6 to v2.1.0; the job’s
actions/contents/security-eventspermissions are unchanged.Reviewed by Cursor Bugbot for commit 63900b3. Bugbot is set up for automated code reviews on this repo. Configure here.