Skip to content

chore: reconfigure permission model for Github actions MCP-279 #714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 6, 2025
Merged

chore: reconfigure permission model for Github actions MCP-279 #714

merged 2 commits into from
Nov 6, 2025
+34 −6

Conversation

@himanshusinghs
Copy link
Collaborator

@himanshusinghs himanshusinghs commented Nov 4, 2025
edited
Loading

Proposed changes

Modifies the Github workflows (Code Health and Code Health from fork) to work with least privileges and fixes the accidental problem where dependabot created PRs and forked PRs were not being tested for the modified dependencies and PR contents.

Additionally, we don't persist Git credentials when not required.

Checklist

@himanshusinghs himanshusinghs requested a review from a team as a code owner November 4, 2025 13:56
Copilot AI review requested due to automatic review settings November 4, 2025 13:56
Copilot AI reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR reconfigures GitHub Actions permissions following the principle of least privilege and fixes an issue preventing Dependabot PRs from being tested. The changes grant minimal required permissions (contents: read) and disable credential persistence to improve security, while also re-enabling code health checks for both Dependabot and fork PRs.

Key Changes:

  • Switched from empty permissions to explicit contents: read permission
  • Added persist-credentials: false to all checkout actions for security hardening
  • Changed code-health-fork.yml trigger from pull_request_target to pull_request and re-enabled fork PR testing

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/code-health.yml Added explicit read permission and disabled credential persistence across all checkout steps
.github/workflows/code-health-fork.yml Changed trigger event, updated permissions, re-enabled fork testing, and disabled credential persistence

@himanshusinghs himanshusinghs changed the title chore: reconfigure permission model for Github actions chore: reconfigure permission model for Github actions MCP-279 Nov 4, 2025
@himanshusinghs himanshusinghs force-pushed the chore/ci-workflow-permission-mods branch from 5c1527d to 59b5372 Compare November 4, 2025 13:59
@coveralls
Copy link
Collaborator

coveralls commented Nov 4, 2025
edited
Loading

Pull Request Test Coverage Report for Build 19110567098

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 80.149%
Totals Coverage Status
Change from base Build 19074925294: 0.0%
Covered Lines: 6477
Relevant Lines: 7972
💛 - Coveralls

fmenezes
fmenezes reviewed Nov 4, 2025
View reviewed changes
.github/workflows/code-health-fork.yml
---
name: Code Health (fork)
on:
pull_request_target:
Copy link
Collaborator

@fmenezes fmenezes Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we are changing this, do we need separated workflows for fork and non fork?

Copy link
Collaborator Author

@himanshusinghs himanshusinghs Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have separated workflows for both forks (code-health-fork.yml) and non-forks (code-health.yml). The problem earlier was that code-health-fork.yml was never testing the actual changes of the pull request because the workflow was triggered by pull_request_target trigger which was acting in the context of main branch and never checking out the pull request changes.

@himanshusinghs himanshusinghs force-pushed the chore/ci-workflow-permission-mods branch from 59b5372 to 0569695 Compare November 5, 2025 08:32
nirinchev
nirinchev approved these changes Nov 6, 2025
View reviewed changes
.github/workflows/cleanup-atlas-env.yml
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v5
Copy link
Collaborator

@nirinchev nirinchev Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As an alternative, consider switching to v6-beta as that has a mitigation for the persist-credentials issue.

Copy link
Collaborator Author

@himanshusinghs himanshusinghs Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The release is only 3 days. I am thinking of letting it marinate a bit before pulling it in. Will keep on eye on it though. Thanks for the heads up.

@himanshusinghs himanshusinghs merged commit 454e816 into main Nov 6, 2025
26 of 27 checks passed
@himanshusinghs himanshusinghs deleted the chore/ci-workflow-permission-mods branch November 6, 2025 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmenezes fmenezes fmenezes left review comments

Copilot code review Copilot Copilot left review comments

@nirinchev nirinchev nirinchev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@himanshusinghs @coveralls @fmenezes @nirinchev