ci: declare explicit token permissions for maintenance workflows#11377
ci: declare explicit token permissions for maintenance workflows#11377Rohan5commit wants to merge 1 commit intoappwrite:mainfrom
Conversation
📝 WalkthroughWalkthroughThree GitHub Actions workflow files (cleanup-cache.yml, nightly.yml, and stale.yml) have been updated to include explicit top-level permissions blocks. The cleanup-cache workflow grants actions: write and contents: read permissions. The nightly workflow grants contents: read and security-events: write permissions. The stale workflow grants write access to issues and pull-requests. No workflow logic, steps, or job configurations were modified. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Security Scan Results for PRDocker Image Scan Results
Source Code Scan Results🎉 No vulnerabilities found! |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/nightly.yml (1)
31-31:⚠️ Potential issue | 🟡 Minor
github/codeql-action/upload-sarif@v2is deprecated and discontinued.CodeQL Action v2 was retired on January 10, 2025 and is no longer supported—all occurrences must be updated to v3 or v4. The current recommended version is v4. Both jobs in this workflow use the deprecated version; the scans may fail or silently produce no results.
⬆️ Proposed fix
- uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v4Apply to both Line 31 and Line 49.
Also applies to: 49-49
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/nightly.yml at line 31, Replace the deprecated CodeQL upload action usage string "uses: github/codeql-action/upload-sarif@v2" with the supported version (preferably "@v4") in both occurrences in the workflow; locate the two lines that currently contain the exact symbol "github/codeql-action/upload-sarif@v2" and update them to "github/codeql-action/upload-sarif@v4" so the workflow uses the current CodeQL upload action.
🧹 Nitpick comments (1)
.github/workflows/nightly.yml (1)
23-23:aquasecurity/trivy-action@0.20.0is significantly outdated — upgrade to at least0.34.0.The current release of
trivy-actionis0.34.0, which bundles a much newer Trivy version. Using0.20.0in a security scanning workflow risks missed CVEs due to the stale vulnerability DB bundled in that version.⬆️ Proposed fix
- uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.34.0Apply to both Line 23 and Line 42.
Also applies to: 42-42
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/nightly.yml at line 23, The workflow uses an outdated Trivy action reference ("uses: aquasecurity/trivy-action@0.20.0") which should be upgraded to at least "aquasecurity/trivy-action@0.34.0"; update every occurrence of the string "aquasecurity/trivy-action@0.20.0" in the workflow (both occurrences) to "aquasecurity/trivy-action@0.34.0" so the job uses the newer Trivy release and vulnerability DB.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/workflows/nightly.yml:
- Line 31: Replace the deprecated CodeQL upload action usage string "uses:
github/codeql-action/upload-sarif@v2" with the supported version (preferably
"@v4") in both occurrences in the workflow; locate the two lines that currently
contain the exact symbol "github/codeql-action/upload-sarif@v2" and update them
to "github/codeql-action/upload-sarif@v4" so the workflow uses the current
CodeQL upload action.
---
Nitpick comments:
In @.github/workflows/nightly.yml:
- Line 23: The workflow uses an outdated Trivy action reference ("uses:
aquasecurity/trivy-action@0.20.0") which should be upgraded to at least
"aquasecurity/trivy-action@0.34.0"; update every occurrence of the string
"aquasecurity/trivy-action@0.20.0" in the workflow (both occurrences) to
"aquasecurity/trivy-action@0.34.0" so the job uses the newer Trivy release and
vulnerability DB.
Summary
Add explicit
GITHUB_TOKENpermissions to maintenance/security workflows:.github/workflows/stale.yml.github/workflows/cleanup-cache.yml.github/workflows/nightly.ymlPermission mapping
stale.yml:issues: write,pull-requests: write(required byactions/stale)cleanup-cache.yml:actions: write,contents: read(delete Actions cache keys + checkout)nightly.yml:contents: read,security-events: write(checkout + SARIF upload)Why
These workflows currently rely on implicit default token scopes. Declaring required permissions explicitly improves least-privilege security and makes access requirements auditable.