Skip to content

ci: set explicit read permissions on ci workflow#494

Open
arpitjain099 wants to merge 1 commit into
nuxt:mainfrom
arpitjain099:chore/workflow-permissions
Open

ci: set explicit read permissions on ci workflow#494
arpitjain099 wants to merge 1 commit into
nuxt:mainfrom
arpitjain099:chore/workflow-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented Jun 2, 2026

This narrows the GITHUB_TOKEN for .github/workflows/ci.yml to read-only.

  • These jobs only check out the repo and run build/test steps, so contents: read covers them.
  • Without an explicit block the token inherits the repo default, often write-enabled.
  • Following the principle of least privilege from the GitHub Actions security hardening guide.

Behavior is unchanged.

@arpitjain099
ci: set explicit read permissions on ci workflow
51a46bd 
Set an explicit least-privilege permissions block so the workflow GITHUB_TOKEN is scoped to contents: read instead of inheriting the repository default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 2, 2026

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7cffe6ec-e714-4c01-8210-1b6971e59308

📥 Commits

Reviewing files that changed from the base of the PR and between 7cafddc and 51a46bd.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📝 Walkthrough

Walkthrough

The PR adds explicit permissions configuration to the top level of the CI workflow in .github/workflows/ci.yml. This configuration restricts the default GITHUB_TOKEN to read-only access for repository contents by setting contents: read. No workflow steps, jobs, or logic were modified—only the permission scope of the token used during the workflow execution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding explicit read permissions to the CI workflow file for security purposes.
Description check ✅ Passed The description clearly explains the rationale for the change, references the GitHub security hardening guide, and confirms behavior is unchanged.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@atinux
Copy link
Copy Markdown
Member

atinux commented Jun 2, 2026

We don't use any GITHUB_TOKEN in ur CI @arpitjain099, I appreciate the PR though

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arpitjain099 @atinux