fix(release): use correct permissions for self-release#9
Merged
dmccaffery merged 5 commits intoJun 21, 2026
Merged
Conversation
dmccaffery
commented
Jun 20, 2026
dmccaffery
commented
Collaborator
- rename CodeQL workflows to security now that they go beyond just CodeQL
- use correct permissions for release workflows
- update security reports to use permalinks (these reports should be immutable but were previously using relative locations into the current commit)
Rename the reusable CodeQL workflow from .github/workflows/codeql.yaml to
security.yaml (name 'Reusable Security Analysis'), with the dogfooding caller
self-codeql.yaml -> self-security.yaml and the copy-paste example
examples/codeql.yaml -> examples/security.yaml. Update every reference: the
self-merge / self-dependabot-merge workflow_run lists, zizmor.yaml,
.github/codeql/codeql-config.yaml, and the README
catalog/anchor/uses/full-example.
Standardise display names alongside: reusable workflows take a 'Reusable '
prefix; self-* and example callers move to Title Case ('Continuous Integration',
'Dependabot Auto-Merge', 'Merge Notice'); the synced workflow_run trigger lists
match. The merge.yaml / release.yaml if: expressions are only re-wrapped (folded
scalars, no behaviour change).
BREAKING CHANGE: the reusable workflow moved from
.github/workflows/codeql.yaml to .github/workflows/security.yaml. Consumers must
update their caller's uses: from
bitwise-media-group/github-workflows/.github/workflows/codeql.yaml@<ref> to
.../security.yaml@<ref>.
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
GitHub resolves a reusable workflow's permissions as the union of every job and ignores if:, so self-release.yaml must grant the goreleaser job's id-token / attestations / artifact-metadata even though that job is skipped here (no .goreleaser.yaml). Without them the run fails at startup. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Stop telling callers the id-token / attestations / artifact-metadata scopes are 'GoReleaser path only' and safe to drop without a .goreleaser.yaml. GitHub unions a reusable workflow's job permissions and ignores if:, so the skipped goreleaser job still requires them. Matches the README guidance and self-release.yaml. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
The triage records are meant to be immutable, so each Location now links to a GitHub permalink at that finding's detected commit SHA instead of a bare path:line that drifts as files are renamed or re-flowed. Findings 4 and 5 point at codeql.yaml (the path at 66b14ef), not the renamed security.yaml. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Contributor
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
tiffanywang3
previously approved these changes
Jun 20, 2026
Collaborator
Author
|
/merge |
…e changes GitHub rejects any ref update whose commits add or edit a .github/workflows/ file unless the token holds the Workflows permission. The minted FF Merge App token requested only contents/pull-requests(/administration), so a /merge or auto-merge of a PR touching workflow files failed updateRef with 403 'Resource not accessible by integration'. Add permission-workflows: write to every token mint that feeds an ff-merge ref move (merge.yaml manual/arm/merge-on-checks/ merge-on-review, dependabot-merge.yaml merge job). The approve-only Dependabot job is unchanged since it never moves a ref. Requires the FF Merge App to be granted Workflows: Read and write on its installation. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.