Skip to content

chore: restrict secrets in playwright github action#623

Merged
benlife5 merged 1 commit into
mainfrom
VULN-45394
Jul 1, 2026
Merged

chore: restrict secrets in playwright github action#623
benlife5 merged 1 commit into
mainfrom
VULN-45394

Conversation

@benlife5

@benlife5 benlife5 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Only passes the needed secret instead of all secrets to the playwright step

@benlife5 benlife5 requested a review from a team as a code owner July 1, 2026 15:06
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The workflow file .github/workflows/build_and_test_pages.yml was modified so that the call_playwright job no longer inherits all secrets. Instead, it now defines an explicit secrets mapping that passes BOT_REPO_SCOPED_TOKEN from repository secrets to the job.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: restricting Playwright action secret scope.
Description check ✅ Passed The description is directly related and accurately describes passing only the needed secret.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch VULN-45394

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/build_and_test_pages.yml (1)

11-15: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider adding an explicit permissions: block to call_playwright.

Static analysis flags this job for using default (broad) permissions since no permissions: block is set. Given this PR's goal is minimizing what's exposed to the job, pairing the secrets restriction with an explicit least-privilege permissions: block would further tighten the job's blast radius.

🔒 Example fix
   call_playwright:
     needs: call_build
     uses: ./.github/workflows/playwright.yml
+    permissions:
+      contents: read
     secrets:
       BOT_REPO_SCOPED_TOKEN: ${{ secrets.BOT_REPO_SCOPED_TOKEN }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build_and_test_pages.yml around lines 11 - 15, The
call_playwright job currently inherits broad default GitHub Actions permissions
because it has no explicit permissions block. Update the call_playwright job in
the workflow to declare least-privilege permissions alongside the existing
secrets mapping, using the job name call_playwright as the anchor. Keep the
permissions as narrow as possible for this reusable workflow call so the job’s
access is explicitly restricted.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/build_and_test_pages.yml:
- Around line 11-15: The call_playwright job currently inherits broad default
GitHub Actions permissions because it has no explicit permissions block. Update
the call_playwright job in the workflow to declare least-privilege permissions
alongside the existing secrets mapping, using the job name call_playwright as
the anchor. Keep the permissions as narrow as possible for this reusable
workflow call so the job’s access is explicitly restricted.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 323ae18d-dbdc-4836-93ea-e65cc42a9b6b

📥 Commits

Reviewing files that changed from the base of the PR and between adb35cf and e3a0b03.

📒 Files selected for processing (1)
  • .github/workflows/build_and_test_pages.yml

@benlife5 benlife5 merged commit fbef00d into main Jul 1, 2026
31 checks passed
@benlife5 benlife5 deleted the VULN-45394 branch July 1, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants