Skip to content

Add explicit permissions blocks to GitHub Actions workflows#96

Open
DominicBM wants to merge 1 commit intomainfrom
fix/workflow-permissions
Open

Add explicit permissions blocks to GitHub Actions workflows#96
DominicBM wants to merge 1 commit intomainfrom
fix/workflow-permissions

Conversation

@DominicBM
Copy link

@DominicBM DominicBM commented Mar 14, 2026
edited by coderabbitai bot
Loading

Summary

  • Adds permissions: contents: read to all three GitHub Actions workflows to resolve 3 open CodeQL code scanning alerts (#1, #2, #3)
  • All workflows use explicit AWS secrets for cloud access — they don't need any write permissions on GITHUB_TOKEN
  • Restricting to least-privilege prevents token misuse if a third-party action in the workflow were ever compromised

Test plan

  • Confirm the Scala CI workflow still passes on this PR
  • Confirm CodeQL alerts are resolved after merge

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow permissions across deployment and build pipelines to align with security best practices.

@DominicBM @claude
Add explicit permissions blocks to GitHub Actions workflows
d067879 
Fixes 3 CodeQL code scanning alerts (actions/missing-workflow-permissions).
All three workflows only need read access to repository contents;
AWS credentials are supplied via repository secrets, not GITHUB_TOKEN.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Mar 14, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 410294d1-87c4-4e02-ae63-b28d4b161e5a

📥 Commits

Reviewing files that changed from the base of the PR and between 5d79d40 and d067879.

📒 Files selected for processing (3)
  • .github/workflows/deploy-staging.yml
  • .github/workflows/deploy.yml
  • .github/workflows/scala.yml

Walkthrough

Three GitHub Actions workflow files in the .github/workflows/ directory are updated to include a permissions block declaring contents: read access. No other behavioral changes are introduced; existing workflow steps and job logic remain unchanged.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Permissions
.github/workflows/deploy-staging.yml, .github/workflows/deploy.yml, .github/workflows/scala.yml		 Added permissions: contents: read declaration to each workflow file, establishing minimal required permissions at the workflow level.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: adding explicit permissions blocks to GitHub Actions workflows across three files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/workflow-permissions
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DominicBM