Skip to content

ci: move workflow permissions to job level #339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nanotaboada merged 1 commit into from
Dec 22, 2025
Merged

ci: move workflow permissions to job level #339

nanotaboada merged 1 commit into from
Dec 22, 2025

Conversation

@nanotaboada
Copy link
Owner

@nanotaboada nanotaboada commented Dec 22, 2025
edited by coderabbitai bot
Loading

Move 'contents: read' permission from workflow level to individual job level for better clarity and following the principle of least privilege. Each job now explicitly declares its required permissions.

Summary by CodeRabbit

  • Chores
    • Enhanced GitHub Actions workflow security and maintainability by restructuring permission assignments from global workflow-level settings to granular, job-specific permissions for build, test, and coverage processes. This ensures each job operates with only the permissions it requires, improving overall security practices and workflow organization throughout the continuous integration pipeline.

✏️ Tip: You can customize this high-level summary in your review settings.

@nanotaboada
ci: move workflow permissions to job level
4510227 
Move 'contents: read' permission from workflow level to individual
job level for better clarity and following the principle of least
privilege. Each job now explicitly declares its required permissions.
@coderabbitai
Copy link

coderabbitai bot commented Dec 22, 2025
edited
Loading

Walkthrough

The GitHub Actions workflow in .github/workflows/dotnet.yml was restructured to move permissions from a top-level declaration to per-job declarations. The permissions: contents: read was removed from the workflow root and added as identical permission blocks to the build, test, and coverage jobs, while the container job retained its existing permissions.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Permissions
.github/workflows/dotnet.yml		 Moved permissions: contents: read from top-level workflow scope to individual job-level declarations for build, test, and coverage jobs; container job permissions unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

  • Verify all jobs that require content read permissions have the permission block added
  • Confirm the container job was intentionally excluded from changes
  • Ensure no duplicate or conflicting permission declarations exist

Possibly related PRs

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title follows Conventional Commits format with 'ci:' prefix, is 42 characters (under 80), and clearly describes the main change of moving workflow permissions to job level.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/move-permissions-to-job-level
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5df7687 and 4510227.

📒 Files selected for processing (1)
  • .github/workflows/dotnet.yml
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-12-11T00:20:42.278Z 
Learnt from: CR
Repo: nanotaboada/Dotnet.Samples.AspNetCore.WebApi PR: 0
File: azure-pipelines.yml:0-0
Timestamp: 2025-12-11T00:20:42.278Z
Learning: Applies to azure-pipelines.yml : Trigger pipeline on commits to master and feature/* branches, and on pull requests to master

Applied to files:

  • .github/workflows/dotnet.yml
📚 Learning: 2025-12-11T00:20:42.278Z 
Learnt from: CR
Repo: nanotaboada/Dotnet.Samples.AspNetCore.WebApi PR: 0
File: azure-pipelines.yml:0-0
Timestamp: 2025-12-11T00:20:42.278Z
Learning: Build and test ASP.NET Core projects targeting .NET 8 on Linux using Azure Pipelines

Applied to files:

  • .github/workflows/dotnet.yml
⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (4)
.github/workflows/dotnet.yml (4)

19-20: LGTM: Build job permissions are appropriate.

The contents: read permission is sufficient for this job. The build job only needs to checkout the repository and run build commands, which don't require additional GitHub permissions.

83-84: Verify artifact download permissions (related to test job concern).

Similar to the test job, verify that actions/download-artifact@v7.0.0 works without explicit actions: read permission when job permissions are restricted to contents: read.

19-20: Excellent security improvement following least privilege principle.

Moving permissions from workflow-level to job-level is a security best practice. This ensures each job only has the minimum permissions it needs, reducing the potential impact if a job or action is compromised.

The approach of explicitly declaring contents: read for each job (build, test, coverage) while the container job retains its additional packages: write permission is exactly right.

Also applies to: 47-48, 83-84

47-48: Add pull-requests: read permission for commitlint action with pull_request events.

The wagoid/commitlint-github-action@v6 requires permissions: contents: read pull-requests: read when running on pull_request events. The current configuration only includes contents: read, which is insufficient for the action to access pull request commit information.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 22, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codacy-production
Copy link

codacy-production bot commented Dec 22, 2025

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.00%
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (5df7687) 1723 196 11.38%
Head commit (4510227) 1723 (+0) 196 (+0) 11.38% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#339) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

@nanotaboada nanotaboada merged commit 9ad5116 into master Dec 22, 2025
16 checks passed
@nanotaboada nanotaboada deleted the feature/move-permissions-to-job-level branch December 22, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nanotaboada