Skip to content

fix: add explicit permissions to TypeScript SDK test workflow#32

Open
adnanrhussain wants to merge 2 commits intomainfrom
ahussain/workflow-permissions-test-sdk
Open

fix: add explicit permissions to TypeScript SDK test workflow#32
adnanrhussain wants to merge 2 commits intomainfrom
ahussain/workflow-permissions-test-sdk

Conversation

@adnanrhussain
Copy link
Copy Markdown
Contributor

@adnanrhussain adnanrhussain commented Apr 8, 2026
edited
Loading

Summary

  • Resolves code scanning alerts #1#5 - workflow was relying on default repository permissions instead of declaring explicit
    least-privilege permissions
  • Rather than granting actions: write (which styfle/cancel-workflow-action requires), we replaced it with native concurrency — keeping the final permission scope to contents: read only

@adnanrhussain adnanrhussain requested a review from Copilot April 8, 2026 19:52
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a GitHub code scanning alert by explicitly declaring least-privilege GITHUB_TOKEN permissions for the TypeScript SDK test workflow, rather than relying on repository defaults.

Changes:

  • Add an explicit top-level permissions block to the TypeScript SDK CI workflow.
  • Grant contents: read (for checkout) and actions: write (to support cancelling prior runs).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/test-sdk-typescript.yml
Comment on lines +17 to +20
permissions:
contents: read
actions: write

Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This repo’s other workflows set permissions at the job level (e.g. .github/workflows/publish-typescript-sdk.yml:11, release-please.yml:10, conventional-commits.yml:16). To stay consistent and keep future least-privilege tighter, consider moving this workflow-level permissions block down into each job (or only jobs that require elevated scopes).

Copilot uses AI. Check for mistakes.
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 8, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@georgemelvin georgemelvin Awaiting requested review from georgemelvin

@czi-fsisenda czi-fsisenda Awaiting requested review from czi-fsisenda

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adnanrhussain