ci: harden GitHub Actions workflow permissions#34
Conversation
…ing-workflow-permissions)
|
Warning Review limit reached
More reviews will be available in 21 minutes and 28 seconds. Learn how PR review limits work. To continue reviewing without waiting, enable usage-based billing in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository: wcpos/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Summary
CodeQL rule
actions/missing-workflow-permissions(CWE-275) fired on two workflow files because they had no top-levelpermissions:block and therefore inherited the repository defaultGITHUB_TOKENscope. This PR adds an explicit, least-privilege top-levelpermissions:block to each flagged workflow.Changes
.github/workflows/tests.ymlcontents: readGITHUB_TOKENto write. Read is sufficient..github/workflows/lint.ymlcontents: readGITHUB_TOKENto write. Read is sufficient.Both blocks are placed after
concurrency:and beforejobs:, matching the existing two-space indentation.Notes
permissions:blocks; no job, step, or trigger logic was modified. Both files still parse as valid YAML.contents: readat the top level also implicitly drops every other permission tonone, which is the intended hardening.