Skip to content

ci: scope permissions to jobs and fix workflow syntax #4066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PatStLouis wants to merge 2 commits into
base: main
Choose a base branch
from
+63 −66
Open

ci: scope permissions to jobs and fix workflow syntax #4066

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6318d3b
ci: scope permissions to jobs and fix workflow syntax
PatStLouis Feb 24, 2026
552bde8
Update .github/actions/run-integration-tests/action.yml
PatStLouis Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/actions/run-integration-tests/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,11 @@ runs:
steps:
- name: run-integration-tests-acapy
# to run with external ledger and tails server run as follows (and remove the ledger and tails actions from the workflow):
# run: LEDGER_URL=https://test.bcovrin.vonx.io PUBLIC_TAILS_URL=https://tails.vonx.io ./run_bdd ${{ inputs.TEST_SCOPE }}
run: ./run_bdd ${{ inputs.TEST_SCOPE }}
# run: LEDGER_URL=... PUBLIC_TAILS_URL=... ./run_bdd $TEST_SCOPE
run: ./run_bdd $TEST_SCOPE
shell: bash
env:
TEST_SCOPE: ${{ inputs.TEST_SCOPE }}
LEDGER_URL: ${{ inputs.IN_LEDGER_URL }}
PUBLIC_TAILS_URL: ${{ inputs.IN_PUBLIC_TAILS_URL }}
LOG_LEVEL: warning
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/bdd-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ on:
types: [opened, synchronize, reopened, ready_for_review]

permissions:
contents: read
pull-requests: read
checks: write
Comment on lines 12 to 13
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

permissions is still defined at the workflow level (currently checks: write). This keeps elevated permissions enabled for the entire workflow and is inconsistent with the stated goal of job-scoped least-privilege. Move/remove the workflow-level permissions block and keep checks: write only on the job(s) that require it.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@PatStLouis PatStLouis Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is contradicting what sonarqube flagged


concurrency:
Expand All @@ -25,6 +23,10 @@ defaults:
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
checks: write
# Run on openwallet-foundation and non-draft PRs or on non-PR events
if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
outputs:
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/bdd-interop-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,6 @@ on:
- main
types: [opened, synchronize, reopened, ready_for_review]

permissions:
contents: read
pull-requests: read
checks: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -25,6 +20,10 @@ defaults:
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
checks: write
# Run on openwallet-foundation and non-draft PRs or on non-PR events
if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
outputs:
Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,19 @@
name: "Code scanning - action"

"on":
on:
push:
pull_request:
schedule:
- cron: "0 19 * * 0"

permissions:
contents: read

jobs:
CodeQL-Build:
# CodeQL runs on ubuntu-latest and windows-latest
runs-on: ubuntu-latest
if: (github.event_name == 'pull_request' && github.repository == 'openwallet-foundation/acapy') || (github.event_name != 'pull_request')

permissions:
contents: read
security-events: write

steps:
Expand Down
11 changes: 5 additions & 6 deletions .github/workflows/format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,16 @@
name: Ruff Code Formatter and Linting Check

"on":
on:
pull_request:
branches:
- main

permissions:
contents: read
pull-requests: read
checks: write

jobs:
lint:
permissions:
contents: read
pull-requests: read
checks: write
name: lint
runs-on: ubuntu-latest
steps:
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,14 @@ on:
- cron: "0 0 * * *"
workflow_dispatch:

permissions:
contents: read
pull-requests: read
checks: write

jobs:
tests:
if: github.repository_owner == 'openwallet-foundation' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
checks: write
strategy:
fail-fast: false
matrix:
Expand All @@ -34,6 +33,9 @@ jobs:
setup_and_check_pub:
name: Setup Publish
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
commits_today: ${{ steps.commits.outputs.commits_today }}
date: ${{ steps.date.outputs.date }}
Expand Down Expand Up @@ -61,6 +63,7 @@ jobs:
tag: ["nightly-${{needs.setup_and_check_pub.outputs.date}}", nightly]
permissions:
contents: read
pull-requests: read
packages: write
with:
tag: ${{ matrix.tag }}
5 changes: 2 additions & 3 deletions .github/workflows/pip-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,11 @@ name: pip-audit
on:
workflow_dispatch:

permissions:
contents: read

jobs:
selftest:
runs-on: ubuntu-latest
permissions:
contents: read
if: (github.event_name == 'pull_request' && github.repository == 'openwallet-foundation/acapy') || (github.event_name != 'pull_request')
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/pr-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,17 @@ name: PR Tests
on:
pull_request:

permissions:
contents: read
pull-requests: read
checks: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
tests:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
checks: write
steps:
- name: checkout
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
Expand All @@ -28,6 +27,10 @@ jobs:
postgres-tests:
name: PostgreSQL Integration Tests
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
checks: write
services:
postgres:
image: postgres:15-alpine
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/publish-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,6 @@ on:
- main
- docs-v*

permissions:
contents: read

jobs:
deploy:
runs-on: ubuntu-latest
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,6 @@ on:
required: false
type: string

permissions:
contents: read

jobs:
build-image:
strategy:
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/pythonpublish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,14 @@ on:
release:
types: [created]

permissions:
contents: read

jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/acapy-agent
permissions:
contents: read
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/scenario-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,6 @@ on:
- main
types: [opened, synchronize, reopened, ready_for_review]

permissions:
contents: read
pull-requests: read
checks: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -25,6 +20,10 @@ defaults:
jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
checks: write
# Run on openwallet-foundation and non-draft PRs or on non-PR events
if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
steps:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ on:
branches: [ "main" ]

# Declare default permissions as read only.
permissions: read-all
permissions:
contents: read
actions: read

jobs:
analysis:
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/snyk-lts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,6 @@ on:
- acapy_agent/**
- docker/**

permissions:
contents: read

jobs:
snyk:
permissions:
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/snyk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,6 @@ on:
- acapy_agent/**
- docker/**

permissions:
contents: read

jobs:
snyk:
permissions:
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/sonar-merge-main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,11 @@ on:
branches:
- main

permissions:
contents: read
checks: write

jobs:
sonarcloud:
permissions:
contents: read
checks: write
name: SonarCloud
runs-on: ubuntu-latest
if: github.repository == 'openwallet-foundation/acapy' && github.actor != 'dependabot[bot]'
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/sonar-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,12 @@ on:
types:
- completed

permissions:
contents: read
pull-requests: read
checks: write

jobs:
SonarCloud:
permissions:
contents: read
pull-requests: read
checks: write
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success' && github.repository == 'openwallet-foundation/acapy'
steps:
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/tag-recreate-lts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,6 @@ on:
required: true
type: string

permissions:
contents: write
packages: write

jobs:
recreate-lts-release:
# LTS versions are now configured in .github/lts-versions.txt
Expand All @@ -27,6 +23,8 @@ jobs:
(github.event_name == 'workflow_dispatch')
name: Recreate LTS Release
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
lts_tag: ${{ steps.set_outputs.outputs.lts_tag }}
release_tag: ${{ steps.set_outputs.outputs.release_tag }}
Expand Down Expand Up @@ -230,6 +228,8 @@ jobs:
needs.recreate-lts-release.outputs.lts_tag != '' &&
needs.recreate-lts-release.outputs.release_tag != ''
runs-on: ubuntu-latest
permissions:
packages: write
strategy:
matrix:
python-version: ["3.12"]
Expand Down