ci: scope test workflows to least-privilege contents:read#37
Merged
Conversation
Qodo flagged that backend-tests now runs PR-controlled code on every PR (including forks) without an explicit permissions: block, inheriting repo-default GITHUB_TOKEN scopes. Both test jobs only check out and run the plugin, so pin them to contents:read. The release job keeps its own elevated scopes in test-and-release.yml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
Review Summary by QodoAdd least-privilege permissions to test workflows
WalkthroughsDescription• Add explicit least-privilege permissions to test workflows • Restrict backend-tests job to contents:read scope • Restrict frontend-tests job to contents:read scope • Prevent PR-controlled code from inheriting elevated token scopes Diagramflowchart LR
A["Test Workflows"] -->|"Add permissions block"| B["contents: read"]
B -->|"Applied to"| C["backend-tests job"]
B -->|"Applied to"| D["frontend-tests job"]
C -->|"Prevents"| E["Elevated token scopes"]
D -->|"Prevents"| E
File Changes1. .github/workflows/backend-tests.yml
|
Code Review by Qodo🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)
Great, no issues found!Qodo reviewed your code and found no material issues that require review |
|
🎉 This PR is included in version 1.2.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #36. Qodo flagged on #36 that
backend-testsnow runs PR-controlled code on every PR (including forks) without an explicitpermissions:block, so it inherits repo-defaultGITHUB_TOKENscopes — against least-privilege.#36 was auto-merged before this hardening commit landed, so re-submitting it standalone:
backend-testsjob →permissions: contents: readfrontend-testsjob →permissions: contents: read(also runs PR/fork code)Both jobs only check out and run the plugin; they need no write scopes. The
releasejob keeps its own elevated permissions intest-and-release.yml.🤖 Generated with Claude Code