Skip to content

ci: restrict ci workflow permissions to read-only#541

Open
arpitjain099 wants to merge 1 commit into
nuxt:mainfrom
arpitjain099:chore/workflow-permissions
Open

ci: restrict ci workflow permissions to read-only#541
arpitjain099 wants to merge 1 commit into
nuxt:mainfrom
arpitjain099:chore/workflow-permissions

Conversation

@arpitjain099

Copy link
Copy Markdown

Small hardening change: set permissions: contents: read at the top of .github/workflows/ci.yml so the workflow token is read-only instead of inheriting the repository default. The job only does checkout and build/test, so nothing else is required.

Set an explicit least-privilege permissions block so the workflow GITHUB_TOKEN is scoped to contents: read instead of inheriting the repository default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from danielroe as a code owner June 2, 2026 01:19
@vercel

vercel Bot commented Jun 2, 2026

Copy link
Copy Markdown

@arpitjain099 is attempting to deploy a commit to the Nuxt Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 66eefd7c-1f5b-42be-8a87-ad13b27e6f05

📥 Commits

Reviewing files that changed from the base of the PR and between 747c064 and efc3ea9.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

📝 Walkthrough

Walkthrough

This PR adds an explicit permissions block to the CI workflow in .github/workflows/ci.yml, granting the GITHUB_TOKEN read access to repository contents. The declaration is placed at the top level of the workflow and applies to all jobs, establishing clear token scope boundaries for the CI pipeline.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely describes the main change: restricting CI workflow permissions to read-only access for the GitHub token.
Description check ✅ Passed The description clearly explains the hardening change, its purpose, and rationale, all directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant