Skip to content

ci: harden SCIP workflow permissions#163

Open
grtninja wants to merge 1 commit intosourcegraph:masterfrom
grtninja:codex/ci-harden-scip-workflow
Open

ci: harden SCIP workflow permissions#163
grtninja wants to merge 1 commit intosourcegraph:masterfrom
grtninja:codex/ci-harden-scip-workflow

Conversation

@grtninja
Copy link
Copy Markdown

@grtninja grtninja commented Apr 13, 2026

Summary

  • pin actions/checkout in .github/workflows/scip.yml to an immutable commit SHA
  • add explicit minimal permissions for the workflow token

Why

This keeps the existing SCIP upload flow intact while making the workflow a little
safer and more explicit:

  • the checkout action no longer floats on a tag
  • the workflow token is limited to contents: read
  • the change stays one-file and behavior-preserving

Related public lane: this follows the same workflow-hardening pattern as
NousResearch/hermes-agent#7646 and Aider-AI/aider#5021.

Validation

  • YAML parse of .github/workflows/scip.yml
  • git diff --check

No Go source files or runtime code paths were changed in this patch.

@grtninja
ci: harden SCIP workflow permissions
935ef24 
Pin actions/checkout in the SCIP workflow to an immutable commit SHA and trim the workflow token to contents: read. This keeps the existing upload behavior while reducing tag drift and default token scope without changing the workflow surface.

Signed-off-by: grtninja <grtninja@hotmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@grtninja