Skip to content

ci: declare contents:read on slack-alert workflow#205

Open
arpitjain099 wants to merge 1 commit into
uber:masterfrom
arpitjain099:chore/slack-alert-permissions
Open

ci: declare contents:read on slack-alert workflow#205
arpitjain099 wants to merge 1 commit into
uber:masterfrom
arpitjain099:chore/slack-alert-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026

The slack-alert workflow triggers on workflow_run, which runs with the same default-branch context that push events use, not the read-only context used for pull_request from forks. Right now there's no explicit permissions: block on this workflow, so the token receives whatever the repo default grants.

The job itself only calls slackapi/slack-github-action@v2.1.1 with SLACK_WEBHOOK_URL. It never invokes the GitHub API or touches the repo, so pinning the workflow to contents: read makes the minimum-scope intent explicit. This narrows the blast radius if the third-party Slack action is ever compromised (cf. tj-actions/changed-files CVE-2025-30066).

Style matches release.yml and website.yml, which already carry explicit permissions: blocks.

I deliberately left tests.yml out of this patch: it uses actions/cache, and that interacts with the explicit-permissions story in a way I'd rather handle separately if you want it tightened up too. Happy to follow up.

@arpitjain099
ci: declare contents:read on slack-alert workflow
539bea9 
slack-alert runs on workflow_run, which executes with the elevated
default-branch context (not the read-only pull_request context). The
job only posts to a Slack webhook via SLACK_WEBHOOK_URL; it never
calls the GitHub API. Pinning the workflow to contents:read makes the
minimum-scope contract explicit, matching release.yml and website.yml
which already declare permissions blocks.

tests.yml uses actions/cache and is therefore left for a separate
change to avoid muddling the cache-write semantics here.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 14, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@coveralls
Copy link
Copy Markdown

coveralls commented May 14, 2026

Coverage Report for CI Build 631

Coverage remained the same at 96.954%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 570
Covered Lines: 559
Line Coverage: 98.07%
Relevant Branches: 185
Covered Branches: 173
Branch Coverage: 93.51%
Branches in Coverage %: Yes
Coverage Strength: 0.98 hits per line
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arpitjain099 @CLAassistant @coveralls