Skip to content

ci: declare read-only token permissions on test workflow#229

Merged
nrabinowitz merged 1 commit into
uber:masterfrom
arpitjain099:chore/restrict-workflow-token-perms
Jul 3, 2026
Merged

ci: declare read-only token permissions on test workflow#229
nrabinowitz merged 1 commit into
uber:masterfrom
arpitjain099:chore/restrict-workflow-token-perms

Conversation

@arpitjain099

Copy link
Copy Markdown
Contributor

Adds a top-level permissions: contents: read declaration to the test workflow.

The workflow checks out code, builds the project, and runs tests. The GITHUB_TOKEN is only passed to the Coveralls action for coverage upload, which works with read-only access. Declaring explicit permissions restricts the token to the minimum scope needed.

@dfellis

dfellis commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

This test is consistently failing I assume this pre-dates this PR, but I don't see an issue to fix it.

@arpitjain099

Copy link
Copy Markdown
Contributor Author

You're right that it pre-dates this PR. This change only adds a top-level permissions: contents: read to the workflow token and touches no test or build logic, so it can't be the cause. The same workflow is already red on master (the #228 and #217 merge runs on 2026-05-26 both failed).

The failing job is "Build Test Node 22", and the step that exits non-zero is yarn check-prettier:

$ yarn prettier && git diff --exit-code
$ prettier --write --config .prettierrc 'lib/**/*.js' 'build/**/*.js' 'test/**/*.js'
error Command failed with exit code 1.

So prettier --write is reformatting committed files and the following git diff --exit-code fails. It's a formatting drift in the tree (likely a prettier version bump), not a test failure: the actual tap suite passes on that job. The other Node versions stay green because only the Node 22 "Build Test" job runs the lint/prettier step.

Happy to open a separate small PR that runs prettier across lib/build/test to get the job green again, or file a tracking issue if you'd prefer to handle the formatting bump yourselves. Either way it's independent of this permissions change.

@nrabinowitz

Copy link
Copy Markdown
Collaborator

Looked into this, it's not a prettier change - it's from #217, which added a post-process step to the built emscripten output but didn't check in the file with the build change. No idea why CI ran clean on that PR but failed on all subsequent merges. #230 fixes this, we should probably merge that first and then this should run green.

@nrabinowitz

Copy link
Copy Markdown
Collaborator

I think this should be mergeable on rebase to master, do you mind doing that @arpitjain099 ?

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@arpitjain099 arpitjain099 force-pushed the chore/restrict-workflow-token-perms branch from 4716151 to 73ea499 Compare July 1, 2026 22:23
@arpitjain099

Copy link
Copy Markdown
Contributor Author

Done, rebased onto current master.

@nrabinowitz nrabinowitz merged commit 637861b into uber:master Jul 3, 2026
8 checks passed
@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 28551684983

Coverage remained the same at 100.0%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 620
Covered Lines: 620
Line Coverage: 100.0%
Relevant Branches: 136
Covered Branches: 136
Branch Coverage: 100.0%
Branches in Coverage %: Yes
Coverage Strength: 4963.0 hits per line

💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants