ci: harden GitHub Actions workflow permissions#620
Conversation
…ing-workflow-permissions)
|
Warning Review limit reached
More reviews will be available in 16 minutes and 23 seconds. Learn how PR review limits work. To continue reviewing without waiting, enable usage-based billing in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d48468b7db
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| types: [translation-release] | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Restore a write credential for translation branch pushes
When a repository_dispatch actually changes the translation version, actions/checkout leaves origin configured with the default GITHUB_TOKEN; after this permission is reduced to read-only, the later git push -u origin "$BRANCH" on line 42 will try to push with that read-only token and be rejected. The App token in GH_TOKEN is only used by gh pr create, so either checkout/push needs to use steps.app-token.outputs.token or this workflow still needs a write-capable contents token.
Useful? React with 👍 / 👎.
…GITHUB_TOKEN, not app token)
|
Adversarial review caught an under-scope: |
What
Add an explicit, least-privilege top-level
permissions:block to three GitHub Actions workflows that previously had none.Why
CodeQL rule
actions/missing-workflow-permissions(CWE-275) fired on these files because, lacking a top-levelpermissions:key, each workflow'sGITHUB_TOKENinherits the repository's default token scope (potentially read/write across many scopes). The fix is to declare the minimal scope each workflow actually needs, so the default token is locked down regardless of the repo-level default.This came out of the 2026-06-17 org security triage.
Changes
Each block was chosen by inspecting what the workflow's jobs actually do with the
GITHUB_TOKEN:.github/workflows/build.ymlcontents: readworkflow_dispatchEAS build. Only checks out code; build/submit auth uses external secrets (EXPO_TOKEN,RXDB_LICENSE_KEY,UNIWIND_AUTH_TOKEN). No step usesGITHUB_TOKENto write..github/workflows/update-translations.ymlcontents: readactions/create-github-app-token→steps.app-token.outputs.token), notGITHUB_TOKEN. The default token is used only for the read-only checkout..github/workflows/add-to-roadmap.ymlcontents: readPROJECT_BOT_*).GITHUB_TOKENcannot write org projects and is used only for read-only checkout.Notes
GITHUB_TOKENitself never needs more thancontents: read.permissions:block was inserted (afteron:, beforejobs:), preserving existing indentation. Behavior is unchanged.