From 46d9026fd3196d3696586c572430c4d5981567f9 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Thu, 14 May 2026 10:18:10 +0900 Subject: [PATCH] ci: declare permissions on the four project-automation workflows The three project_automation_* workflows authenticate every step via tibdex/github-app-token using CCCL_AUTH_APP_ID + CCCL_AUTH_APP_PEM, so the workflow's implicit GITHUB_TOKEN is unused. `permissions: {}` captures that contract. triage_rotation.yml is the exception: it uses github.token directly through `gh issue edit --add-label`, `gh issue comment`, and a GraphQL addAssigneesToAssignable mutation. Per-job `issues: write` is the minimum that covers all three calls. All four trigger on pull_request_target / issues, the elevated-context shape, so pinning the workflow scope is high-signal: the implicit default-branch GITHUB_TOKEN no longer has anything to grant the project_automation workflows, and triage_rotation is scoped to just the API calls it actually makes. Style matches the per-job and workflow-level permissions blocks already used in backport-prs.yml, bench.yml, blackduck-sca.yml, and the other hardened workflows. Signed-off-by: Arpit Jain --- .github/workflows/project_automation_set_in_review.yml | 3 +++ .github/workflows/project_automation_set_roadmap.yml | 3 +++ .github/workflows/project_automation_sync_pr_issues.yml | 3 +++ .github/workflows/triage_rotation.yml | 2 ++ 4 files changed, 11 insertions(+) diff --git a/.github/workflows/project_automation_set_in_review.yml b/.github/workflows/project_automation_set_in_review.yml index 52ec0b7bb9b..e4861efc590 100644 --- a/.github/workflows/project_automation_set_in_review.yml +++ b/.github/workflows/project_automation_set_in_review.yml @@ -33,6 +33,9 @@ env: STATUS_FIELD_ID: "PVTSSF_lADOABpemM4AEhOIzgCmnYc" IN_REVIEW_PROJECT_OPTION_ID: "c6b49c6b" +# Workflow token unused: every step authenticates via tibdex/github-app-token. +permissions: {} + jobs: query_and_mutate_project_fields: if: github.repository == 'NVIDIA/cccl' diff --git a/.github/workflows/project_automation_set_roadmap.yml b/.github/workflows/project_automation_set_roadmap.yml index 4c6210fa040..2eaa380a993 100644 --- a/.github/workflows/project_automation_set_roadmap.yml +++ b/.github/workflows/project_automation_set_roadmap.yml @@ -35,6 +35,9 @@ env: PROJECT_ID: "PVT_kwDOABpemM4AEhOI" ROADMAP_FIELD_ID: "PVTSSF_lADOABpemM4AEhOIzgC_MXI" +# Workflow token unused: every step authenticates via tibdex/github-app-token. +permissions: {} + jobs: set_roadmap_value: if: github.repository == 'NVIDIA/cccl' diff --git a/.github/workflows/project_automation_sync_pr_issues.yml b/.github/workflows/project_automation_sync_pr_issues.yml index e1240493f06..b9ffbd6a4ae 100644 --- a/.github/workflows/project_automation_sync_pr_issues.yml +++ b/.github/workflows/project_automation_sync_pr_issues.yml @@ -33,6 +33,9 @@ env: WORKING_SPRINT_FIELD_ID: "PVTIF_lADOABpemM4AEhOIzgJlRho" START_SPRINT_FIELD_ID: "PVTIF_lADOABpemM4AEhOIzgJlRhU" +# Workflow token unused: every step authenticates via tibdex/github-app-token. +permissions: {} + jobs: query_and_mutate_project_fields: if: github.repository == 'NVIDIA/cccl' diff --git a/.github/workflows/triage_rotation.yml b/.github/workflows/triage_rotation.yml index cb5d79e0889..1c2febf3dbc 100644 --- a/.github/workflows/triage_rotation.yml +++ b/.github/workflows/triage_rotation.yml @@ -27,6 +27,8 @@ jobs: assign_issues: runs-on: ubuntu-latest if: ${{ ! contains(fromJSON('["OWNER", "MEMBER", "CONTRIBUTOR", "COLLABORATOR"]'), github.event.issue.author_association)}} + permissions: + issues: write # assign user, add label, post comment via gh CLI steps: - name: Calculate assignee id: calculate_assignee