ci: harden CI workflow permissions/concurrency + add Dependabot#1036
ci: harden CI workflow permissions/concurrency + add Dependabot#1036SalemOurabi wants to merge 2 commits into
Conversation
Greptile SummaryThis PR hardens CI supply-chain security by adding least-privilege
Confidence Score: 4/5Safe to merge after addressing the CodeQL concurrency group — the scheduled weekly security scan can be silently cancelled by a master push. The CodeQL workflow now has a .github/workflows/codeql-analysis.yml — the concurrency group needs the event name included to prevent the scheduled scan from being preempted by push triggers. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[push to master] -->|github.ref = refs/heads/master| G1
B[weekly schedule] -->|github.ref = refs/heads/master| G1
C[pull_request] -->|github.ref = refs/pull/N/merge| G2
G1["concurrency group: codeql-refs/heads/master\n⚠️ SHARED KEY"]
G2["concurrency group: codeql-refs/pull/N/merge"]
G1 -->|cancel-in-progress: true| X["❌ One of push or schedule\nsilently cancelled"]
G2 -->|cancel-in-progress: true| Y["✅ Old PR run cancelled\n(desired)"]
style G1 fill:#ffcccc,stroke:#cc0000
style X fill:#ffcccc,stroke:#cc0000
style G2 fill:#ccffcc,stroke:#009900
style Y fill:#ccffcc,stroke:#009900
Reviews (2): Last reviewed commit: "ci: add least-privilege permissions and ..." | Re-trigger Greptile |
| concurrency: | ||
| group: ci-${{ github.ref }} | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
The current
cancel-in-progress: true is unconditional, so rapid pushes to master (e.g. two PRs merged back-to-back) will cancel each other's CI runs. That means a commit that breaks master could silently slip past — the CI for the first merge gets killed before it finishes, and neither run produces a green or red result for that SHA. Cancelling superseded runs is valuable for PR branches but should be disabled for the default branch.
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} |
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 17-19
Comment:
The current `cancel-in-progress: true` is unconditional, so rapid pushes to `master` (e.g. two PRs merged back-to-back) will cancel each other's CI runs. That means a commit that breaks `master` could silently slip past — the CI for the first merge gets killed before it finishes, and neither run produces a green or red result for that SHA. Cancelling superseded runs is valuable for PR branches but should be disabled for the default branch.
```suggestion
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
```
How can I resolve this? If you propose a fix, please make it concise.ci.yml now declares permissions (contents: read) instead of the broad default token, and a concurrency group that cancels superseded runs on the same ref. Adds .github/dependabot.yml for weekly github-actions, npm (dev-grouped), and docker updates — which also lets Dependabot pin actions to commit SHAs.
e2e-tests.yaml: permissions contents:read + concurrency cancelling superseded multi-OS runs. codeql-analysis.yml: permissions actions:read / contents:read / security-events:write (SARIF upload) + concurrency. Release/deploy workflows are intentionally left out — cancel-in-progress is unsafe mid-release/deploy.
3331fcc to
b0863b3
Compare
|
Please review the current PR head |
CI hardening, rebased onto the latest
master:ci.yml: least-privilegepermissions: contents: read(was the broad default token) + aconcurrencygroup that cancels superseded runs on the same ref..github/dependabot.yml: weeklygithub-actions(also enables SHA-pinning),npm(dev/tooling grouped), anddockerupdates.No job logic changed.