chore(ci): Maximize CI/CD values (Dependabot & Permissions)#1
chore(ci): Maximize CI/CD values (Dependabot & Permissions)#1hyperpolymath merged 1 commit intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e7989c2c05
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - run: gleam deps download | ||
| - run: gleam test | ||
| - run: gleam format --check src test | ||
| permissions: read-all |
There was a problem hiding this comment.
read-all permission here
If this repo or org uses GitHub's restricted default GITHUB_TOKEN policy (contents/packages only, which is the default for new repos), permissions: read-all widens every push and pull_request run to all readable scopes. This workflow only checks out the repo and runs local Gleam commands, so the broader token is unnecessary and is now exposed to the third-party erlef/setup-beam@v1 action and all later steps; a compromised action or PR script would be able to read issue/PR/package metadata that was previously unavailable.
Useful? React with 👍 / 👎.
1 participant
This automated PR updates your CI/CD configurations to maximize value and security.
github-actionsis monitored for updates.permissions: read-allto workflows missing explicit permissions.