Skip to content

ci: declare permissions on the four project-automation workflows#8978

Open
arpitjain099 wants to merge 1 commit into
NVIDIA:mainfrom
arpitjain099:chore/project-automation-permissions
Open

ci: declare permissions on the four project-automation workflows#8978
arpitjain099 wants to merge 1 commit into
NVIDIA:mainfrom
arpitjain099:chore/project-automation-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 14, 2026

The four project-automation workflows currently leave the workflow GITHUB_TOKEN scope implicit even though they trigger on pull_request_target and issues (the elevated-context paths).

This patch pins each to its minimum:

  • .github/workflows/project_automation_set_in_review.yml -- permissions: {} (workflow scope). Every step authenticates via tibdex/github-app-token@v1.8.0 with CCCL_AUTH_APP_ID + CCCL_AUTH_APP_PEM, so the workflow's own GITHUB_TOKEN has nothing to do.
  • .github/workflows/project_automation_set_roadmap.yml -- same shape, permissions: {}.
  • .github/workflows/project_automation_sync_pr_issues.yml -- same shape, permissions: {}.
  • .github/workflows/triage_rotation.yml -- permissions: issues: write per job. This one does use github.token (via GH_TOKEN: ${{ github.token }}) for gh issue edit --add-label, gh issue comment, and a GraphQL addAssigneesToAssignable mutation. issues: write is the minimum that covers all three.

Why this matters: pull_request_target and issues triggers run with the default-branch token grant, not the read-only fork-PR grant. Without an explicit permissions: block, the token gets whatever the repo default is, which can change. Pinning the scope keeps the contract documented in-file and aligns these four with backport-prs.yml, bench.yml, blackduck-sca.yml, and the rest of the hardened set.

Third-party action exposure that motivates the explicit scope: tibdex/github-app-token@v1.8.0 runs inside the workflow context. An explicit permissions: {} keeps any hypothetical compromise (cf. tj-actions/changed-files CVE-2025-30066) contained to the app token's installation scope rather than letting it also reach the workflow token.

No behavioural change to any of the four.

@arpitjain099
ci: declare permissions on the four project-automation workflows
46d9026 
The three project_automation_* workflows authenticate every step via
tibdex/github-app-token using CCCL_AUTH_APP_ID + CCCL_AUTH_APP_PEM,
so the workflow's implicit GITHUB_TOKEN is unused. `permissions: {}`
captures that contract.

triage_rotation.yml is the exception: it uses github.token directly
through `gh issue edit --add-label`, `gh issue comment`, and a
GraphQL addAssigneesToAssignable mutation. Per-job `issues: write`
is the minimum that covers all three calls.

All four trigger on pull_request_target / issues, the elevated-context
shape, so pinning the workflow scope is high-signal: the implicit
default-branch GITHUB_TOKEN no longer has anything to grant the
project_automation workflows, and triage_rotation is scoped to just
the API calls it actually makes.

Style matches the per-job and workflow-level permissions blocks
already used in backport-prs.yml, bench.yml, blackduck-sca.yml, and
the other hardened workflows.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 requested a review from a team as a code owner May 14, 2026 01:18
@arpitjain099 arpitjain099 requested a review from jrhemstad May 14, 2026 01:18
@copy-pr-bot
Copy link
Copy Markdown
Contributor

copy-pr-bot Bot commented May 14, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-project-automation github-project-automation Bot moved this to Todo in CCCL May 14, 2026
@cccl-authenticator-app cccl-authenticator-app Bot moved this from Todo to In Review in CCCL May 14, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 14, 2026

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow configurations to improve automation reliability and security for project management and issue triage processes.

Walkthrough

Four GitHub Actions workflows are updated to explicitly configure token permissions: three restrict default GITHUB_TOKEN permissions to empty (they use GitHub App token instead), and one enables explicit issues: write permission at the job level for issue assignment.

Changes

GitHub Actions Workflow Permission Hardening

Layer / File(s) Summary
Restrict default permissions in project automation workflows
.github/workflows/project_automation_set_in_review.yml, .github/workflows/project_automation_set_roadmap.yml, .github/workflows/project_automation_sync_pr_issues.yml		 Three workflows add top-level permissions: {} to explicitly remove default GITHUB_TOKEN permissions, since each uses tibdex/github-app-token for authentication instead.
Enable explicit issue permissions for triage workflow
.github/workflows/triage_rotation.yml		 Job-level permissions: { issues: write } added to assign_issues job, enabling it to assign and manipulate issues via GitHub API.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 841ae019-28b7-449c-abff-4cded9c7a03a

📥 Commits

Reviewing files that changed from the base of the PR and between 5d79bc2 and 46d9026.

📒 Files selected for processing (4)
  • .github/workflows/project_automation_set_in_review.yml
  • .github/workflows/project_automation_set_roadmap.yml
  • .github/workflows/project_automation_sync_pr_issues.yml
  • .github/workflows/triage_rotation.yml

Comment thread .github/workflows/project_automation_sync_pr_issues.yml
Comment on lines +36 to +37
# Workflow token unused: every step authenticates via tibdex/github-app-token.
permissions: {}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find workflow actions not pinned to a full 40-char commit SHA.
# Expected: this flags mutable refs like tibdex/github-app-token@v1.8.0.
rg -nP '^\s*uses:\s*(?!\./)(?!docker://)[^@\s]+@(?![0-9a-fA-F]{40}\b)[^\s#]+' .github/workflows/*.yml

Repository: NVIDIA/cccl

Length of output: 4719

🏁 Script executed:

cat .github/workflows/project_automation_sync_pr_issues.yml

Repository: NVIDIA/cccl

Length of output: 9447

important: pin tibdex/github-app-token@v1.8.0 to a full commit SHA instead of mutable tag. Using a major version tag with app secrets (CCCL_AUTH_APP_ID, CCCL_AUTH_APP_PEM) creates supply-chain risk; tag can be retargeted by the action maintainer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@jrhemstad jrhemstad Awaiting requested review from jrhemstad jrhemstad is a code owner automatically assigned from NVIDIA/cccl-infra-codeowners

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

CCCL
Status: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arpitjain099