DEVX-773: (AI GENERATED) add explicit permissions to workflow jobs#144
Open
liudmyla-b wants to merge 1 commit into
Open
DEVX-773: (AI GENERATED) add explicit permissions to workflow jobs#144liudmyla-b wants to merge 1 commit into
liudmyla-b wants to merge 1 commit into
Conversation
Adds minimal required permissions block to comply with least-privilege principle. GitHub Actions defaults to broad permissions when none are specified.
liudmyla-b
requested review from
AlperCezibarakLeanix,
YauheniyaBasaranovichLeanIX,
alfredo-mfaria,
geoandri and
mohamedlajmileanix
|
📊 Survey: Please help us track internal AI adoption. This is not for evaluation, only for metrics. You can update this anytime before merge.
🧑💻 If AI was used, what was it mainly used for?
Thank you in advance for your feedback.💙🙏🎉 |
liudmyla-b
requested review from
ahmed-ali-55,
benedek-pakai-leanix and
henriq-amaral-leanix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds minimal required `permissions:` blocks to workflow jobs that were missing them.
Motivation: Explicit permissions follow the principle of least privilege and prevent accidental access escalation.
Note: Please review this PR carefully, as it was generated with assistance from AI. This is only a migration helper, so ensure you thoroughly evaluate the changes before MERGING IT ON YOUR OWN.
Timeline:
From June 1
Default switches to read-only org-wide. Repos can still override the setting for their own workflows — giving teams a grace week to finish up.
From June 8
Read-only is enforced via org policy. No more per-repo override.
Changes:
gradle-build.yml:validation,gradle-cijobsleanix-github-agent-code-coverage.yml:leanix-github-agent-connector-cijobPermissions added:
validation:permissions: {}(no checkout, no actions — no permissions needed)gradle-ci:contents: read,actions: write(actions/checkout + gradle/gradle-build-action@v2 with default caching)leanix-github-agent-connector-ci:contents: read,actions: write,pull-requests: write(actions/checkout + gradle/gradle-build-action@v2 with caching + madrapps/jacoco-report)