add pull-requests: read permission to verify-dockerfile workflow#234
add pull-requests: read permission to verify-dockerfile workflow#234
Conversation
The verify-dockerfile-refreshed-at-updated reusable workflow needs pull-requests: read to function correctly with the callers permissions.
🤖 Claude Code ReviewPR Code Review: Add
|
Existing (docker-verify-refreshed-at-updated.yaml) |
New (verify-dockerfile-refreshed-at-updated.yaml) |
|
|---|---|---|
name |
Docker verify REFRESHED_AT Updated |
Verify Dockerfile REFRESHED_AT Updated |
on.pull_request.branches |
[main] |
(all branches) |
concurrency |
Present | Missing |
pull-requests: read permission |
Missing | Present |
| Explanatory comment | Present | Missing |
❌ Missing concurrency block (.github/workflows/verify-dockerfile-refreshed-at-updated.yaml, line 1-14): The existing workflow uses a concurrency group to cancel in-progress runs. The new workflow omits this, which can lead to redundant parallel runs consuming GitHub Actions minutes unnecessarily.
❌ Missing branch filter on pull_request (line 4): The existing workflow restricts to branches: [main], but the new one triggers on PRs to any branch. This may be intentional (to support the pull-requests: read permission needed to inspect the PR diff across branches), but it should be confirmed. If the intent is to replace the existing workflow, the branch scoping is inconsistent.
Verify Dockerfiles REFRESHED_AT Updated) calling the same reusable workflow may produce duplicate required status checks. Clarify whether the old docker-verify-refreshed-at-updated.yaml is being replaced or if both are intended to coexist.
✅ Style guide — Unable to fetch the external style guide URL, but the YAML structure follows the patterns used in this repository's other workflow files.
Testing
N/A — This is a CI workflow file. No unit/integration tests apply.
Documentation
✅ No README or API docs changes required for a CI workflow addition.
✅ No complex inline logic requiring comments, though the existing docker-verify-refreshed-at-updated.yaml includes a useful comment on line 3-4 explaining the required status check naming. The new workflow omits this context.
Security
✅ permissions: {} at the workflow level with explicit least-privilege grants at the job level — correct security posture.
✅ No hardcoded credentials, sensitive data, or license files.
✅ Uses a pinned major version tag (@v4) on the reusable workflow reference — consistent with repository conventions.
Summary of Issues
| Severity | Issue |
|---|---|
| ❌ Medium | Missing concurrency block — can cause redundant parallel runs |
| ❌ Medium | Potential duplicate with docker-verify-refreshed-at-updated.yaml — clarify if old workflow should be removed |
| Missing explanatory comment about required status check naming (present in the existing counterpart) | |
No branch filter on pull_request trigger — confirm this is intentional |
Automated code review analyzing defects and coding standards
Super-linter summary
All files and directories linted successfully For more information, see the GitHub Actions workflow run Powered by Super-linter |
2 participants
The verify-dockerfile-refreshed-at-updated reusable workflow needs pull-requests: read to function correctly with the callers permissions.