chore: bump actions in ci#2665
Conversation
There was a problem hiding this comment.
We previously relied on this fork https://github.com/vaind/download-artifact (that is in dire need of getting synced), or, like here, we wrap action/download-artifact in 10 lines of bash and call it a day.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 977760a. Configure here.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
Missing actions: read permission for artifact API call
High Severity
The build.yml workflow explicitly restricts permissions to checks: write, statuses: write, and contents: read. When permissions are explicitly listed, all unlisted scopes default to none. The new wait-for-artifact composite action uses gh api to call the Actions REST API (/actions/runs/.../artifacts), which requires actions: read permission on the GITHUB_TOKEN. The old vaind/download-artifact fork used internal runtime APIs (via ACTIONS_RUNTIME_TOKEN) that bypass REST API permission checks, so this wasn't needed before. Without adding actions: read to the permissions block, the gh api call will likely fail with a 403, breaking all four SDK download steps in build.yml.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 977760a. Configure here.
1 participant
This addresses the 79 warnings that
which will hit us in June.
#skip-changelog