 zbhan
|
5e3517d62e
|
fix comment
|
2025-11-02 22:55:27 -05:00 |
|
|
zbhan
|
9f311580e1
|
Fix validation logic
|
2025-11-02 22:49:43 -05:00 |
|
|
zbhan
|
3c7925dc46
|
Fix validation
|
2025-11-02 22:24:31 -05:00 |
|
|
zbhan
|
89ca3eedcc
|
Fix backend check
|
2025-11-02 22:15:45 -05:00 |
|
|
zbhan
|
c0a8375466
|
Fix validation error
|
2025-11-02 22:11:24 -05:00 |
|
|
zbhan
|
3f683200a6
|
fix(workflow): fix github workflow
|
2025-11-02 21:49:59 -05:00 |
|
 Luna Martinez
|
8a4524747f
|
Change permissions from read to write for contents
|
2025-11-02 21:15:31 -05:00 |
|
 tangmengqiu
|
0168f766de
|
fix(ci): Add comprehensive permissions to pr-checks workflow
Add workflow-level default permissions and explicit per-job permissions
following the principle of least privilege:
Workflow-level (default):
- contents: read - Read repository contents
- pull-requests: write - Manage PR labels and comments
- issues: write - Manage issues (PRs are issues in GitHub API)
Job-level overrides:
- validate-pr: Inherits workflow defaults (needs issue/PR write access)
- backend-tests: Downgrade to read-only (no write operations needed)
- frontend-tests: Downgrade to read-only (no write operations needed)
- auto-label: Add missing issues:write (labeler operates on PR issues)
- security-check: Add security-events:write (upload SARIF results)
- secrets-check: Downgrade to read-only (scanning only)
- all-checks: Downgrade to read-only (status checking only)
This fixes:
1. Potential 403 errors when auto-label tries to add labels to PR issues
2. Missing permission for uploading security scan results
3. Overly permissive access for read-only jobs
Related: #282
Co-Authored-By: tinkle-community <tinklefund@gmail.com>
|
2025-11-02 18:23:28 -05:00 |
|
|
zbhan
|
3af9f3e376
|
fix: github workflow permission
|
2025-11-01 22:25:32 -04:00 |
|
|
zbhan
|
2f4f277001
|
feat: pr validation
|
2025-11-01 18:25:44 -04:00 |
|