Skip to content

ci: scope GitHub Actions permissions to jobs (Aikido)#12

Merged
dorothyyzh merged 2 commits into
mainfrom
fix/aikido-permissions-2026-05-11
May 11, 2026
Merged

ci: scope GitHub Actions permissions to jobs (Aikido)#12
dorothyyzh merged 2 commits into
mainfrom
fix/aikido-permissions-2026-05-11

Conversation

@dorothyyzh

@dorothyyzh dorothyyzh commented May 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Move workflow-level permissions: { contents: write, packages: write } into the build job; set the workflow level to permissions: {} so future jobs must opt in explicitly. Resolves Aikido AIK_yaml_gh-actions-overly-broad-permissions (CWE-250).
  • Pin pnpm-action-setup to version: 10. latest now resolves to pnpm v11, which drops the legacy package.json pnpm.* config keys and bumps the minimum Node requirement; pnpm install has been failing on every CI run since v11 shipped. Pinning to v10 restores the previous working state without changing the project layout or Node matrix.

Aikido Issues Resolved

Why this PR is split from a previous attempt

Earlier PR #11 also bumped the Node matrix to 22.x and added pnpm.onlyBuiltDependencies to package.json to work around two unrelated pnpm v11 breakages. Those changes are out of scope for an Aikido permissions fix and should be decided separately — this PR keeps the diff to the minimum needed to land the security fix.

Verification

  • Workflow YAML is syntactically valid; permissions semantics preserved (build job retains both original permissions)
  • CI uses pnpm v10 → matches the last known-green build (2026-02-28)

dorothyyzh and others added 2 commits May 11, 2026 15:35
@claude
ci: scope workflow permissions to jobs (Aikido AIK_yaml_gh-actions-ov…
17160e0 
…erly-broad-permissions)

Move workflow-level permissions into the build job and set the workflow-level
permissions to {} so future jobs must opt in explicitly. Resolves Aikido
sub-issues #211116553 and #211116554.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude
ci: pin pnpm to v10 so CI can install dependencies again
03936f0 
pnpm-action-setup currently resolves 'latest' to pnpm v11, which dropped
the legacy package.json pnpm.* config keys and bumped the minimum Node
requirement. This repo has not migrated, so 'pnpm install' has been failing
on every CI run since pnpm v11 shipped. Pin to v10 to restore the previous
working state without touching project layout or Node version.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@levin-liu levin-liu self-requested a review May 11, 2026 07:43
@dorothyyzh dorothyyzh merged commit d6ac7a4 into main May 11, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@levin-liu levin-liu Awaiting requested review from levin-liu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dorothyyzh