Conversation
Apply principle of least privilege by adding top-level permissions
blocks to all workflows that were missing them. Workflows with
job-level permissions use `permissions: {}` at the top to ensure
no default permissions leak. This prevents token privilege escalation
if a workflow is compromised.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
cjroth has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
Semgrep Security ScanNo security issues found. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit faa7592. Configure here.
| cancel-in-progress: true | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Missing pull-requests permission breaks CI change detection
High Severity
The new top-level permissions: contents: read block causes the detect-changes job to lose pull-requests: read access. dorny/paths-filter@v3 requires pull-requests: read on pull_request events because it uses the GitHub REST API to fetch modified files. Without it, the action will fail, breaking the detect-changes job and the downstream rust job that depends on it for all pull requests. The typescript job is unaffected because it has its own job-level pull-requests: write override.
Reviewed by Cursor Bugbot for commit faa7592. Configure here.
There was a problem hiding this comment.
cjroth has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
cjroth
temporarily deployed
to
fix/explicit-workflow-permissions - thunderbolt PR #586
Render
Destroyed
There was a problem hiding this comment.
cjroth has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
cjroth
changed the title
cjroth
changed the title
1 participant
Summary
permissions:blocks to all 10 workflows that were missing thempermissions: {}at the top level (claude.yml, enterprise-deploy.yml, enterprise-publish.yml) — this makes the default restrictivepermissions: contents: read(ci.yml, e2e.yml, ios-release.yml, test-build.yml)permissions: contents: write(create-version-tag.yml, desktop-release.yml, version-bump.yml)write-all), which is overly permissiveTest plan
contents: read+ job-level overrides)contents: write)id-token: writeis preserved)Note
Medium Risk
Workflow permission defaults are tightened; if any job implicitly relied on broader
GITHUB_TOKENscopes, CI/release/deploy steps could start failing. Changes are limited to GitHub Actions config (no product/runtime code).Overview
Adds explicit top-level
permissionsacross GitHub Actions workflows to avoid inheriting permissive repo defaults.Most workflows now default to either
permissions: {}(no token permissions unless a job opts in) orcontents: read, while workflows that need to publish artifacts/tags retain job-level elevated permissions (e.g.,packages: write,id-token: write).Reviewed by Cursor Bugbot for commit 55a5cc2. Bugbot is set up for automated code reviews on this repo. Configure here.