Skip to content

fix(security): scope pipeline.yml permissions per-job instead of workflow-wide#528

Open
Copilot wants to merge 4 commits intomainfrom
copilot/fix-workflow-permissions-pipeline
Open

fix(security): scope pipeline.yml permissions per-job instead of workflow-wide#528
Copilot wants to merge 4 commits intomainfrom
copilot/fix-workflow-permissions-pipeline

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 27, 2026
edited
Loading

  • Remove top-level permissions block from .github/workflows/pipeline.yml
  • Add per-job permissions scoped to minimum required for each job:
    • auto-labeler: pull-requests: write, contents: read
    • createVersion: contents: write
    • lint: contents: read
    • testSource: contents: read
    • dockerBuild: packages: write, contents: read
    • dockerBuildAndPush: packages: write, contents: read
    • updateVersion: contents: read
  • Updated workflow refs to pinned hashes (@07550bab80de7691f4947214ee342351896e209b) matching latest main

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 27, 2026
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ntnn
❌ Copilot
You have signed the CLA already but the status is still pending? Let us recheck it.

Copilot AI changed the title [WIP] Fix excessive workflow-level permissions in pipeline.yml fix(security): scope pipeline.yml permissions per-job instead of workflow-wide Mar 27, 2026
Copilot finished work on behalf of ntnn March 27, 2026 10:22
Copilot AI requested a review from ntnn March 27, 2026 10:22
@github-actions github-actions Bot added the fix label Mar 28, 2026
@ntnn
Copy link
Copy Markdown
Member

ntnn commented Mar 28, 2026

@copilot rebase

Copy link
Copy Markdown
Author

Copilot AI commented Mar 28, 2026

@copilot rebase

Done. Incorporated the pinned workflow refs (@07550bab80de7691f4947214ee342351896e209b) from main along with the per-job permissions in commit 230a035.

Copilot finished work on behalf of ntnn March 28, 2026 01:56
@github-actions github-actions Bot added the chore label Mar 28, 2026
@ntnn ntnn marked this pull request as ready for review March 28, 2026 02:01
@ntnn ntnn requested review from a team as code owners March 28, 2026 02:01
@ntnn ntnn enabled auto-merge (squash) March 28, 2026 02:01
@ntnn ntnn added this to tbd Mar 28, 2026
@github-project-automation github-project-automation Bot moved this to Backlog in tbd Mar 28, 2026
@ntnn ntnn moved this from Backlog to Reviewing in tbd Mar 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ntnn ntnn Awaiting requested review from ntnn

At least 1 approving review is required to merge this pull request.

Assignees

@ntnn ntnn

Copilot code review Copilot

Labels

chore fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CLAassistant @ntnn