Fix: Add permissions to the workflow being called. #389
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #389 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 1 1
Lines 2 2
=========================================
Hits 2 2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Updates the scheduled/dispatch auto-release workflow to grant additional permissions to the job that invokes the reusable auto-releaser workflow, enabling the called workflow to perform release/tag operations.
Changes:
- Adds a job-level
permissions: write-allto thereleasejob in.github/workflows/auto-release.yml.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/auto-release.yml
Outdated
|
|
||
| jobs: | ||
| release: | ||
| permissions: write-all |
There was a problem hiding this comment.
permissions: write-all grants the reusable release job full write access to all permission scopes, which is broader than needed and increases blast radius (especially since secrets: inherit is used). Based on the called workflow steps (tag/release creation), this likely only requires contents: write (and keep other scopes as read/unset). Prefer specifying the minimal explicit permissions map here instead of write-all.
| permissions: write-all | |
| permissions: | |
| contents: write |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1 participant
No description provided.