Skip to content

fix: add least-privilege permissions to workflows#665

Open
eniayomi wants to merge 3 commits into
mainfrom
fix/code-scanning-workflow-permissions
Open

fix: add least-privilege permissions to workflows#665
eniayomi wants to merge 3 commits into
mainfrom
fix/code-scanning-workflow-permissions

Conversation

@eniayomi
Copy link
Copy Markdown

@eniayomi eniayomi commented May 26, 2026

Resolves the four actions/missing-workflow-permissions warnings by adding least-privilege permissions blocks.

  • cla.yml: CLA bot needs pull-requests/statuses: write to comment and set status; actions: write so it can re-trigger itself. Signatures repo is written via PERSONAL_ACCESS_TOKEN, not GITHUB_TOKEN.
  • lint.yml, test.yml: contents: read for checkout.
  • release.yml: contents: write because gnosis/changesets-action-github-releases pushes tags and creates releases.

Actions were already SHA-pinned, no SHA changes needed.

@eniayomi
fix: add least-privilege permissions to workflows
3616b8a 
Address actions/missing-workflow-permissions on the four workflows.

- cla.yml: CLA bot needs pull-requests/statuses:write to comment and
  set status; actions:write to re-trigger itself. Signatures repo is
  written via PERSONAL_ACCESS_TOKEN, not GITHUB_TOKEN.
- lint.yml, test.yml: contents:read for checkout.
- release.yml: contents:write because gnosis/changesets-action-github-releases
  pushes tags and creates releases.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 26, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 1be6b3d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@eniayomi eniayomi marked this pull request as ready for review May 26, 2026 13:50
@eniayomi
Copy link
Copy Markdown
Author

eniayomi commented May 26, 2026

I have read the CLA Document and I hereby sign the CLA

eniayomi added 2 commits May 28, 2026 10:45
@eniayomi
fix: migrate CLA workflow to safe-global/github-reusable-workflows
01f28df 
Replace the direct contributor-assistant/github-action invocation with
the centralised reusable action at safe-global/github-reusable-workflows
(commit f72a861e — main 2026-05-27).

The reusable action wraps contributor-assistant @ v2.6.1 and points the
signature writes at the cla-signatures repo's 'signatures' branch
(outside the ruleset that was rejecting bot commits on main).

Requires the REUSABLE_WORKFLOWS_TOKEN repo/org secret. Allowlist
preserved from the previous workflow.
@eniayomi
fix: pin CLA reusable workflow to v2.4.18
1be6b3d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luqmanbello luqmanbello luqmanbello approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eniayomi @luqmanbello