Skip to content

ci: set write permissions on job level #4537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mcollina merged 2 commits into from
Sep 15, 2025
Merged

ci: set write permissions on job level #4537

mcollina merged 2 commits into from
Sep 15, 2025

Conversation

@Uzlopak
Copy link
Contributor

@Uzlopak Uzlopak commented Sep 10, 2025

Fixes
https://github.com/nodejs/undici/security/code-scanning/395
https://github.com/nodejs/undici/security/code-scanning/386
https://github.com/nodejs/undici/security/code-scanning/385
https://github.com/nodejs/undici/security/code-scanning/384

This relates to...

Rationale

Changes

Features

Bug Fixes

Breaking Changes and Deprecations

Status

@Uzlopak Uzlopak requested a review from Copilot September 12, 2025 22:13
Copilot AI reviewed Sep 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses security vulnerabilities by moving GitHub workflow permissions from the workflow level to the job level, following security best practices to limit permission scope.

  • Relocates permissions from workflow-level to job-level in three GitHub Actions workflows
  • Removes workflow-level permissions in triggered-autobahn.yml (read-only workflow)
  • Adds minor formatting improvement in autobahn.yml

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/update-submodules.yml Moves write permissions from workflow to job level
.github/workflows/triggered-autobahn.yml Removes workflow-level permissions (job uses defaults)
.github/workflows/backport.yml Moves write permissions from workflow to job level
.github/workflows/autobahn.yml Adds blank line for formatting consistency

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

mcollina
mcollina approved these changes Sep 15, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina merged commit ec7edd2 into main Sep 15, 2025
34 of 35 checks passed
@Uzlopak Uzlopak deleted the set-write-permissions-on-job-level branch September 15, 2025 15:38
@github-actions github-actions bot mentioned this pull request Jan 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mcollina mcollina mcollina approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Uzlopak @mcollina