Skip to content

Fix permissions for update-release* workflows #1009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
data-douser wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix permissions for update-release* workflows #1009

data-douser wants to merge 2 commits into from
+18 −12

Conversation

@data-douser
Copy link

@data-douser data-douser commented Dec 22, 2025
edited
Loading

Description

This pull request updates the GitHub Actions workflows related to release management. The main focus is on improving permissions handling by moving permissions from the workflow level to the job level, updating action versions, and ensuring permissions are properly set for each job. These changes enhance workflow security and maintain compatibility with the latest action versions.

Change request type

  • Release or process automation (GitHub workflows, internal scripts)
  • Internal documentation
  • External documentation
  • Query files (.ql, .qll, .qls or unit tests)
  • External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

  • No rules added
  • Queries have been added for the following rules:
    • rule number here
  • Queries have been modified for the following rules:
    • rule number here

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

  • The structure or layout of the release artifacts.
  • The evaluation performance (memory, execution time) of an existing query.
  • The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

  • Yes
  • No

🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.

  • Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

  • Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

Reviewer

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

Copilot AI review requested due to automatic review settings December 22, 2025 16:42
@data-douser data-douser self-assigned this Dec 22, 2025
Copilot AI reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes GitHub Actions workflow configurations for release management by moving permissions from workflow-level to job-level, updating action versions from v5 to v6, and improving workflow structure. This change enhances security by applying the principle of least privilege at the job level.

  • Relocated permissions from workflow-level to job-level for better security granularity
  • Updated actions/checkout and actions/setup-python from v5 to v6
  • Added formatting improvements (blank lines) for better readability

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/update-release.yml Moved permissions from workflow-level (lines 2-5) to job-level (lines 26-29), updated actions/checkout and actions/setup-python to v6
.github/workflows/update-release-status.yml Moved permissions from workflow-level to job-level for both the validate-check-runs job (lines 21-24) and the update-release job (lines 135-138), updated actions/checkout to v6

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@data-douser data-douser requested a review from Copilot December 22, 2025 16:55
Copilot AI reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

knewbury01
knewbury01 approved these changes Dec 22, 2025
View reviewed changes
Copy link
Collaborator

@knewbury01 knewbury01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@knewbury01 knewbury01 knewbury01 approved these changes

@MichaelRFairhurst MichaelRFairhurst Awaiting requested review from MichaelRFairhurst

Assignees

@data-douser data-douser

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@data-douser @knewbury01