Skip to content

fix(ci): move write permissions to job level for Scorecard compliance #581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JasonXuDeveloper merged 3 commits into from
Jan 26, 2026
Merged

fix(ci): move write permissions to job level for Scorecard compliance #581

JasonXuDeveloper merged 3 commits into from
Jan 26, 2026

Conversation

@JasonXuDeveloper
Copy link
Owner

@JasonXuDeveloper JasonXuDeveloper commented Jan 26, 2026

Summary

  • Set workflow-level permissions to read-all in pr-tests.yml and unity-tests.yml
  • Add explicit job-level permissions for each job that needs them

This addresses OpenSSF Scorecard Token-Permissions alerts by following the principle of least privilege.

Test plan

  • PR Tests workflow runs successfully
  • Unity Tests workflow runs successfully
  • Scorecard re-scan shows improved Token-Permissions score

🤖 Generated with Claude Code

@github-actions github-actions bot added the ci label Jan 26, 2026
@JasonXuDeveloper
fix(ci): set explicit workflow permissions for Scorecard compliance
ea41344 
- pr-tests.yml: Set explicit permissions at workflow level, jobs restrict further
- unity-tests.yml: Set explicit permissions for reusable workflow

Using read-all at workflow level prevents jobs from getting write permissions.
Instead, set maximum needed permissions at workflow level and let jobs restrict.

Signed-off-by: JasonXuDeveloper <[email protected]>
Signed-off-by: JasonXuDeveloper - 傑 <[email protected]>
@JasonXuDeveloper
chore: add token-permissions annotation to scorecard config
88a9971 
Write permissions are required for:
- checks: write - GameCI publishes test results as check runs
- statuses: write - Setting commit status for branch protection
- pull-requests: write - Commenting test results on PRs
- contents: write - Release workflow creates tags and commits

Signed-off-by: JasonXuDeveloper <[email protected]>
Signed-off-by: JasonXuDeveloper - 傑 <[email protected]>
@claude
Copy link

claude bot commented Jan 26, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@github-actions
Copy link

github-actions bot commented Jan 26, 2026
edited
Loading

Unity Test Results

EditMode: All tests passed
PlayMode: All tests passed

Unity Version: 2022.3.55f1
Project Path: UnityProject

✅ All tests passed! The PR is ready for review.

View workflow run

Click here to view the full workflow run

@JasonXuDeveloper
fix(ci): fix auto-approve workflow git repo error
4c0d119 
- Remove unnecessary checkout step
- Add -R flag to gh pr review command
- Check for exact Claude message "No issues found. Checked for bugs and CLAUDE.md compliance"

Signed-off-by: JasonXuDeveloper - 傑 <[email protected]>
@JasonXuDeveloper JasonXuDeveloper merged commit a7407cc into master Jan 26, 2026
18 checks passed
@JasonXuDeveloper JasonXuDeveloper deleted the fix/token-permissions branch January 26, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JasonXuDeveloper