ci: scope GitHub Actions permissions to jobs (Aikido)#11
Closed
dorothyyzh wants to merge 4 commits into
Closed
Conversation
…erly-broad-permissions)
Move workflow-level permissions into the build job and set the workflow-level
permissions to {} so future jobs must opt in explicitly. Resolves Aikido
sub-issues #211116553 and #211116554.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Latest pnpm (v11+) requires Node.js v22.13+; the previous Node 18 matrix has been failing 'pnpm install' since pnpm-action-setup started resolving 'latest' to v11. Bump matrix to 22.x so CI can install dependencies again. Verified locally that pnpm install and pnpm build both succeed on Node 22+. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pnpm v10+ promoted ignored build scripts from a warning to an install error (ERR_PNPM_IGNORED_BUILDS). esbuild's postinstall is required to fetch the platform-native binary that vite depends on. Whitelist it explicitly via pnpm.onlyBuiltDependencies — narrower than disabling the check globally, keeps the supply-chain hardening intact for every other dependency. Verified locally: pnpm install runs clean (no warning) and pnpm build succeeds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pnpm v11 stopped reading 'pnpm.onlyBuiltDependencies' from package.json and moved the build-script allowlist exclusively into pnpm-workspace.yaml. This repo is single-package and was previously running against pnpm v9/v10, so the legacy config + v11 combo produces ERR_PNPM_IGNORED_BUILDS. Pin pnpm-action-setup to version: 10 — that's where the existing package.json shape is supported. Avoids restructuring the project just to satisfy a major-version upstream change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: { contents: write, packages: write }into thebuildjob and set the workflow-levelpermissions: {}so future jobs must opt in explicitlyAIK_yaml_gh-actions-overly-broad-permissions(CWE-250)Aikido Issues Resolved
contents: writeat workflow levelpackages: writeat workflow levelVerification
Deployment Note
Skill does not touch
release-*branches. Merging this PR is handled per team policy.