fix(ci): drop secrets: inherit from titus secrets-scan caller (least-privilege)#83
Conversation
|
Warning Review limit reached
More reviews will be available in 9 minutes and 27 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Claude review skipped — non-code PR (only changed files matching |
|
Gemini review skipped — non-code PR (only changed files matching |
|
Codex review skipped — non-code PR (only changed files matching |
Why
The
titus-scan.ymlreusable declares nosecrets:block — it only usesGITHUB_TOKEN, which GitHub Actions auto-grants to called reusable workflowswithout
secrets: inherit. Sosecrets: inherithere forwarded this repo'sentire secret store to the reusable for nothing — an unnecessary blast-radius
expansion that violates least-privilege (GitHub Well-Architected: "Avoid
secrets: inherit… pass only required secrets").This drops
secrets: inheritfrom the calling job. Scanner behavior isunchanged (jupiter #293 already runs green without it). Permissions and
fail-on-findingsare untouched.🤖 Generated with Claude Code