From ea41344cfe6930fbadc46d2320e12094dd025416 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= Date: Mon, 26 Jan 2026 19:30:29 +1100 Subject: [PATCH 1/3] fix(ci): set explicit workflow permissions for Scorecard compliance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - pr-tests.yml: Set explicit permissions at workflow level, jobs restrict further - unity-tests.yml: Set explicit permissions for reusable workflow Using read-all at workflow level prevents jobs from getting write permissions. Instead, set maximum needed permissions at workflow level and let jobs restrict. Signed-off-by: JasonXuDeveloper Signed-off-by: JasonXuDeveloper - 傑 --- .github/workflows/pr-tests.yml | 9 ++++++++- .github/workflows/unity-tests.yml | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index e3aed69c..65ceaa9d 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -12,15 +12,20 @@ concurrency: group: pr-tests-${{ github.event.pull_request.number }} cancel-in-progress: true +# Workflow-level permissions set to maximum needed by any job +# Individual jobs further restrict to only what they need permissions: contents: read - pull-requests: write + checks: write statuses: write + pull-requests: write jobs: changes: name: Detect Changes runs-on: ubuntu-latest + permissions: + contents: read outputs: should_test: ${{ steps.filter.outputs.src }} steps: @@ -75,6 +80,8 @@ jobs: needs: [changes, run-tests] runs-on: ubuntu-latest if: needs.changes.outputs.should_test == 'true' && needs.run-tests.result == 'success' + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/unity-tests.yml b/.github/workflows/unity-tests.yml index 135ece31..292e40ce 100644 --- a/.github/workflows/unity-tests.yml +++ b/.github/workflows/unity-tests.yml @@ -23,6 +23,7 @@ on: description: 'Test results summary' value: ${{ jobs.test.outputs.results }} +# Workflow-level permissions for reusable workflow permissions: contents: read checks: write From 88a99718f5654696f8f6a3e17ebf749394c07049 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= Date: Mon, 26 Jan 2026 19:33:57 +1100 Subject: [PATCH 2/3] chore: add token-permissions annotation to scorecard config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Write permissions are required for: - checks: write - GameCI publishes test results as check runs - statuses: write - Setting commit status for branch protection - pull-requests: write - Commenting test results on PRs - contents: write - Release workflow creates tags and commits Signed-off-by: JasonXuDeveloper Signed-off-by: JasonXuDeveloper - 傑 --- .scorecard.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.scorecard.yml b/.scorecard.yml index 4a26ee47..c72229cf 100644 --- a/.scorecard.yml +++ b/.scorecard.yml @@ -37,3 +37,13 @@ annotations: - sast reasons: - reason: not-detected # CodeQL is configured but may not be recognized + + # Token permissions: Write permissions required for CI functionality + # - checks: write - GameCI publishes test results as check runs + # - statuses: write - Setting commit status for branch protection + # - pull-requests: write - Commenting test results on PRs + # - contents: write - Release workflow creates tags and commits + - checks: + - token-permissions + reasons: + - reason: not-applicable # Write permissions required for test reporting and release automation From 4c0d1190fae9d3c37a1cf0e450ddd9f5330ac4fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= Date: Mon, 26 Jan 2026 19:47:25 +1100 Subject: [PATCH 3/3] fix(ci): fix auto-approve workflow git repo error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove unnecessary checkout step - Add -R flag to gh pr review command - Check for exact Claude message "No issues found. Checked for bugs and CLAUDE.md compliance" Signed-off-by: JasonXuDeveloper - 傑 --- .github/workflows/auto-approve.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index cd2e6598..b5a2026b 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -50,9 +50,19 @@ jobs: HEAD_SHA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER --jq '.head.sha') echo "Head SHA: $HEAD_SHA" - # Check Claude review status - CLAUDE_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review") | .conclusion' | head -1) + # Check Claude review status and output + CLAUDE_CHECK=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review")') + CLAUDE_STATUS=$(echo "$CLAUDE_CHECK" | jq -r '.conclusion' | head -1) + CLAUDE_OUTPUT=$(echo "$CLAUDE_CHECK" | jq -r '.output.summary // .output.text // ""' | head -1) echo "Claude review status: $CLAUDE_STATUS" + echo "Claude review output: $CLAUDE_OUTPUT" + + # Check if Claude found no issues (exact message check) + CLAUDE_APPROVED="false" + if [ "$CLAUDE_STATUS" == "success" ] && echo "$CLAUDE_OUTPUT" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then + CLAUDE_APPROVED="true" + fi + echo "Claude approved: $CLAUDE_APPROVED" # Check Unity Tests status (commit status, not check run) UNITY_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/status --jq '.statuses[] | select(.context == "Unity Tests") | .state' | head -1) @@ -68,11 +78,11 @@ jobs: fi # Determine if we should approve - if [ "$CLAUDE_STATUS" == "success" ] && [ "$UNITY_STATUS" == "success" ]; then - echo "All required checks passed!" + if [ "$CLAUDE_APPROVED" == "true" ] && [ "$UNITY_STATUS" == "success" ]; then + echo "All required checks passed and Claude found no issues!" echo "should_approve=true" >> $GITHUB_OUTPUT else - echo "Required checks not yet passed" + echo "Required checks not yet passed or Claude found issues" echo "should_approve=false" >> $GITHUB_OUTPUT fi @@ -102,6 +112,6 @@ jobs: run: | PR_NUMBER="${{ steps.pr.outputs.number }}" - gh pr review $PR_NUMBER --approve --body "Auto-approved: Claude review passed and Unity Tests passed (or were skipped for non-code changes)." + gh pr review $PR_NUMBER -R ${{ github.repository }} --approve --body "Auto-approved: Claude review found no issues and Unity Tests passed (or were skipped for non-code changes)." echo "PR #$PR_NUMBER approved!"