Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/osv-scanner-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,11 @@ concurrency:
group: osv-scanner-pr-${{ github.event.pull_request.base.repo.full_name || github.repository }}-${{ github.event.pull_request.number }}
cancel-in-progress: true

# Least-privilege top level: read-only. The osv-scan job below declares the
# security-events: write scope it needs to upload SARIF to code scanning
# (see github/codeql-action#2117).
permissions:
# Upload SARIF to Security > Code Scanning. See github/codeql-action#2117.
actions: read
contents: read
security-events: write

jobs:
cancel-closed-pr-runs:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/pr-review-merge-scheduler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,12 @@ on:
required: false
default: "420"

# Least-privilege top level: read-only. scan-pr-queue declares the exact
# write scopes it needs (actions/contents/pull-requests write, id-token,
# checks read); cancel-closed-pr-runs only inherits contents: read.
permissions:
contents: read

concurrency:
group: >-
central-pr-review-merge-scheduler-${{ github.repository }}-${{
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/security-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@ concurrency:
group: security-scan-${{ github.event.pull_request.base.repo.full_name || github.repository }}-${{ github.event.pull_request.number }}
cancel-in-progress: true

# Least-privilege top level: read-only. Every job below declares the exact
# write scope it needs (security-events: write for SARIF upload, etc.).
permissions:
actions: read
contents: read
security-events: write

jobs:
cancel-closed-pr-runs:
Expand Down
14 changes: 10 additions & 4 deletions .github/workflows/strix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,12 +92,12 @@ concurrency:
# commit. Closed PR events only cancel older runs for the same PR/head group.
cancel-in-progress: ${{ github.event_name == 'pull_request_target' && github.event.action == 'closed' }}

# Least-privilege top level: read-only. The scan job declares the write
# scopes it needs (id-token for OIDC token exchange, statuses for commit
# status, plus actions/models reads); publish-manual-pr-evidence-status
# declares its own. cancel-closed-pr-runs only inherits contents: read.
permissions:
actions: read
contents: read
id-token: write
models: read
statuses: write

jobs:
cancel-closed-pr-runs:
Expand All @@ -117,6 +117,12 @@ jobs:
# the time. Fail-closed: hitting the cap fails the run, never passes it.
timeout-minutes: 60
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
id-token: write
models: read
statuses: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
Expand Down
Loading