Skip to content

fix(ci): move write permissions to job level for Scorecard compliance #581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JasonXuDeveloper merged 3 commits into from
Jan 26, 2026
Merged

fix(ci): move write permissions to job level for Scorecard compliance #581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ea41344
fix(ci): set explicit workflow permissions for Scorecard compliance
JasonXuDeveloper Jan 26, 2026
88a9971
chore: add token-permissions annotation to scorecard config
JasonXuDeveloper Jan 26, 2026
4c0d119
fix(ci): fix auto-approve workflow git repo error
JasonXuDeveloper Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions .github/workflows/auto-approve.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,19 @@ jobs:
HEAD_SHA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER --jq '.head.sha')
echo "Head SHA: $HEAD_SHA"

# Check Claude review status
CLAUDE_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review") | .conclusion' | head -1)
# Check Claude review status and output
CLAUDE_CHECK=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review")')
CLAUDE_STATUS=$(echo "$CLAUDE_CHECK" | jq -r '.conclusion' | head -1)
CLAUDE_OUTPUT=$(echo "$CLAUDE_CHECK" | jq -r '.output.summary // .output.text // ""' | head -1)
echo "Claude review status: $CLAUDE_STATUS"
echo "Claude review output: $CLAUDE_OUTPUT"

# Check if Claude found no issues (exact message check)
CLAUDE_APPROVED="false"
if [ "$CLAUDE_STATUS" == "success" ] && echo "$CLAUDE_OUTPUT" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then
CLAUDE_APPROVED="true"
fi
echo "Claude approved: $CLAUDE_APPROVED"

# Check Unity Tests status (commit status, not check run)
UNITY_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/status --jq '.statuses[] | select(.context == "Unity Tests") | .state' | head -1)
Expand All @@ -68,11 +78,11 @@ jobs:
fi

# Determine if we should approve
if [ "$CLAUDE_STATUS" == "success" ] && [ "$UNITY_STATUS" == "success" ]; then
echo "All required checks passed!"
if [ "$CLAUDE_APPROVED" == "true" ] && [ "$UNITY_STATUS" == "success" ]; then
echo "All required checks passed and Claude found no issues!"
echo "should_approve=true" >> $GITHUB_OUTPUT
else
echo "Required checks not yet passed"
echo "Required checks not yet passed or Claude found issues"
echo "should_approve=false" >> $GITHUB_OUTPUT
fi

Expand Down Expand Up @@ -102,6 +112,6 @@ jobs:
run: |
PR_NUMBER="${{ steps.pr.outputs.number }}"

gh pr review $PR_NUMBER --approve --body "Auto-approved: Claude review passed and Unity Tests passed (or were skipped for non-code changes)."
gh pr review $PR_NUMBER -R ${{ github.repository }} --approve --body "Auto-approved: Claude review found no issues and Unity Tests passed (or were skipped for non-code changes)."

echo "PR #$PR_NUMBER approved!"
9 changes: 8 additions & 1 deletion .github/workflows/pr-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,20 @@ concurrency:
group: pr-tests-${{ github.event.pull_request.number }}
cancel-in-progress: true

# Workflow-level permissions set to maximum needed by any job
# Individual jobs further restrict to only what they need
permissions:
contents: read
pull-requests: write
checks: write
statuses: write
pull-requests: write

jobs:
changes:
name: Detect Changes
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
should_test: ${{ steps.filter.outputs.src }}
steps:
Expand Down Expand Up @@ -75,6 +80,8 @@ jobs:
needs: [changes, run-tests]
runs-on: ubuntu-latest
if: needs.changes.outputs.should_test == 'true' && needs.run-tests.result == 'success'
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/unity-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ on:
description: 'Test results summary'
value: ${{ jobs.test.outputs.results }}

# Workflow-level permissions for reusable workflow
permissions:
contents: read
checks: write
Expand Down
10 changes: 10 additions & 0 deletions .scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,13 @@ annotations:
- sast
reasons:
- reason: not-detected # CodeQL is configured but may not be recognized

# Token permissions: Write permissions required for CI functionality
# - checks: write - GameCI publishes test results as check runs
# - statuses: write - Setting commit status for branch protection
# - pull-requests: write - Commenting test results on PRs
# - contents: write - Release workflow creates tags and commits
- checks:
- token-permissions
reasons:
- reason: not-applicable # Write permissions required for test reporting and release automation