chore: restrict secrets in playwright github action#623
Conversation
WalkthroughThe workflow file 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/build_and_test_pages.yml (1)
11-15: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider adding an explicit
permissions:block tocall_playwright.Static analysis flags this job for using default (broad) permissions since no
permissions:block is set. Given this PR's goal is minimizing what's exposed to the job, pairing the secrets restriction with an explicit least-privilegepermissions:block would further tighten the job's blast radius.🔒 Example fix
call_playwright: needs: call_build uses: ./.github/workflows/playwright.yml + permissions: + contents: read secrets: BOT_REPO_SCOPED_TOKEN: ${{ secrets.BOT_REPO_SCOPED_TOKEN }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build_and_test_pages.yml around lines 11 - 15, The call_playwright job currently inherits broad default GitHub Actions permissions because it has no explicit permissions block. Update the call_playwright job in the workflow to declare least-privilege permissions alongside the existing secrets mapping, using the job name call_playwright as the anchor. Keep the permissions as narrow as possible for this reusable workflow call so the job’s access is explicitly restricted.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/build_and_test_pages.yml:
- Around line 11-15: The call_playwright job currently inherits broad default
GitHub Actions permissions because it has no explicit permissions block. Update
the call_playwright job in the workflow to declare least-privilege permissions
alongside the existing secrets mapping, using the job name call_playwright as
the anchor. Keep the permissions as narrow as possible for this reusable
workflow call so the job’s access is explicitly restricted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 323ae18d-dbdc-4836-93ea-e65cc42a9b6b
📒 Files selected for processing (1)
.github/workflows/build_and_test_pages.yml
Only passes the needed secret instead of all secrets to the playwright step