Skip to content

ci(lint): grant pull-requests: read for prettier_changed_only mode#7

Merged
topcoder1 merged 1 commit into
mainfrom
claude/lint-pull-requests-read
May 4, 2026
Merged

ci(lint): grant pull-requests: read for prettier_changed_only mode#7
topcoder1 merged 1 commit into
mainfrom
claude/lint-pull-requests-read

Conversation

@topcoder1
Copy link
Copy Markdown
Owner

@topcoder1 topcoder1 commented May 3, 2026

Summary

Adds pull-requests: read to this repo's .github/workflows/lint.yml caller permissions block. Single-line read-scope grant, no privilege escalation.

Why

Required by topcoder1/ci-workflows#29 (merged 2026-05-03), which adds a prettier_changed_only mode (default true) that lists PR-changed files via gh api .../pulls/N/files. Without this permission the reusable workflow falls back to full-glob mode and emits a ::warning:: on every PR — functional but noisy. Granting the permission silences the warning and enables the intended diff-only behavior.

The fleet-wide motivation is that pre-existing markdown drift on main poisons every subsequent docs PR's lint check; PR-changed-only mode fixes the root cause.

Auto-merge rationale

Workflow-permission change → in the high-risk surface list (.github/workflows/**), so manual click-merge per fleet policy. The change itself is one line of additional pull-requests: read scope; no auth, no secrets, no destructive ops.

Codex pre-review

Skipping — workflow-only change, 1 functional line (plus 2 comment lines), not in src/**.

Test plan

  • CI passes
  • First post-merge PR shows the prettier job logs Mode: files (...) instead of ::warning::Could not list PR files

🤖 Generated with Claude Code

@topcoder1 @claude
ci(lint): grant pull-requests: read for prettier_changed_only mode
209fec4 
Required by topcoder1/ci-workflows#29 (merged 2026-05-03), which
adds a prettier_changed_only mode that lists PR-changed files via
`gh api .../pulls/N/files`. Without this permission the reusable
workflow falls back to full-glob mode and emits a ::warning:: on
every PR — functional but noisy.

Strictly grants an additional read scope, no privilege escalation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

Auto-merge blocked — risk-tier paths touched.

This Claude-authored PR modifies files matching the risk-tier patterns
defined in the global CLAUDE.md policy (auth / secrets / migrations /
billing / production infra). Manual click-merge required, OR use one of
the bypass paths below.

Matched files:

.github/workflows/lint.yml (matched: ^\.github/workflows/.*)```

**Bypass options (no PR detail navigation needed):**

- Apply the `auto-merge-approved` label to this PR. The workflow will re-run on
  the label event and enable auto-merge. One click from the PR list page.
- Wait for the `review / Codex Review` status check to pass. If Codex Review is
  installed on this repo and it returns SUCCESS, the workflow auto-bypasses
  the risk gate on its next run (e.g. on push of a fixup commit).

If a path is misclassified, fix the regex in
`topcoder1/ci-workflows/.github/workflows/claude-author-automerge.yml`.

@claude
Copy link
Copy Markdown

claude Bot commented May 3, 2026

No issues found. Single read-only permission grant, well-scoped and well-justified.

@topcoder1 topcoder1 merged commit 1ff849d into main May 4, 2026
7 checks passed
@topcoder1 topcoder1 deleted the claude/lint-pull-requests-read branch May 4, 2026 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@topcoder1