Skip to content

chore(ci): restrict main workflow permissions #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 3, 2025
Merged

chore(ci): restrict main workflow permissions #225

merged 1 commit into from
Oct 3, 2025

Conversation

rhamzeh
Copy link
Member

@rhamzeh rhamzeh commented Oct 3, 2025
edited by coderabbitai bot
Loading

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

  • Chores
    • Updated CI workflow permissions to include a top-level default of read-only access for repository contents, enhancing security posture.
    • Existing per-job permission settings remain intact; no steps, triggers, or conditions were altered.
    • No impact on application features, behavior, or release artifacts.
    • Builds and deployments should proceed as before with reduced default access for actions.

@rhamzeh rhamzeh requested a review from a team as a code owner October 3, 2025 13:07
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 3, 2025
edited
Loading

Walkthrough

Adds a top-level permissions block to .github/workflows/main.yaml setting contents: read by default, leaving existing per-job permissions and steps unchanged.

Changes

Cohort / File(s) Summary
CI workflow permissions
\.github/workflows/main.yaml		 Introduced top-level permissions: contents: read. No step or condition changes; existing per-job permissions remain.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Suggested reviewers

  • jimmyjames

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title clearly and concisely summarizes the primary change by indicating a CI chore to restrict permissions in the main workflow, which directly corresponds to the addition of a top-level permissions block in .github/workflows/main.yaml and follows conventional commit conventions.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/ci-restrict-main-workflow-permissions
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ae0837 and 2117410.

📒 Files selected for processing (1)
  • .github/workflows/main.yaml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: Test and Build OpenFGA (21)
  • GitHub Check: Test and Build OpenFGA (17)
  • GitHub Check: Test and Build OpenFGA (11)
  • GitHub Check: Analyze (java)
  • GitHub Check: Test and Build OpenFGA (17)
  • GitHub Check: Test and Build OpenFGA (21)
  • GitHub Check: Test and Build OpenFGA (11)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov-commenter
Copy link

codecov-commenter commented Oct 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.19%. Comparing base (9ae0837) to head (2117410).

Additional details and impacted files 
@@            Coverage Diff            @@
##               main     #225   +/-   ##
=========================================
  Coverage     35.19%   35.19%           
  Complexity     1071     1071           
=========================================
  Files           187      187           
  Lines          7087     7087           
  Branches        803      803           
=========================================
  Hits           2494     2494           
  Misses         4483     4483           
  Partials        110      110

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rhamzeh rhamzeh added this pull request to the merge queue Oct 3, 2025
Merged via the queue into main with commit 5441476 Oct 3, 2025
25 checks passed
@rhamzeh rhamzeh deleted the chore/ci-restrict-main-workflow-permissions branch October 3, 2025 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evansims evansims evansims approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rhamzeh @codecov-commenter @evansims