Skip to content

fix(repo): Harden workflow permissions#8217

Merged
tmilewski merged 4 commits intomainfrom
tom/user-5061-remedy-reported-clerkjavascript-code-scanning-issues
Apr 1, 2026
Merged

fix(repo): Harden workflow permissions#8217
tmilewski merged 4 commits intomainfrom
tom/user-5061-remedy-reported-clerkjavascript-code-scanning-issues

Conversation

@tmilewski
Copy link
Copy Markdown
Member

@tmilewski tmilewski commented Mar 31, 2026
edited
Loading

  • Add explicit permissions: { contents: read } to three workflow files/jobs that were missing permission blocks, giving the GITHUB_TOKEN unnecessarily broad default access:
    • e2e-cleanups.yml
    • nightly-checks.yml
    • cache-for-alternate-node-versions job in release.yml
  • Add persist-credentials: false to the snapshot-release checkout step in release.yml to prevent checked-out PR code from accessing git credentials

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflows to refine token permissions and checkout configurations across e2e cleanup, nightly checks, and release pipelines.

tmilewski and others added 4 commits March 31, 2026 17:57
@tmilewski @claude
fix(repo): add explicit permissions to e2e-cleanups workflow
79e4c48 
Restrict GITHUB_TOKEN to read-only content access. The workflow only
checks out code and runs cleanup scripts — no write permissions needed.

Fixes code scanning alert #234 (actions/missing-workflow-permissions).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tmilewski @claude
fix(repo): add explicit permissions to nightly-checks workflow
bda894c 
Restrict GITHUB_TOKEN to read-only content access. The workflow only
checks out code, builds, runs integration tests, and reports to Slack
via webhook — no write permissions needed.

Fixes code scanning alert #184 (actions/missing-workflow-permissions).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tmilewski @claude
fix(repo): add explicit permissions to cache-for-alternate-node-versi…
f0c1680 
…ons job

Restrict GITHUB_TOKEN to read-only content access for this job. It only
checks out code and caches node_modules — no write permissions needed.

Fixes code scanning alert #225 (actions/missing-workflow-permissions).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tmilewski @claude
fix(repo): add persist-credentials: false to snapshot-release checkout
3eeb8d5 
Prevent the checked-out PR code from accessing the git credential used
to push to the base repository. The snapshot-release job checks out
untrusted PR code via issue_comment trigger; this limits credential
exposure without changing the existing org-membership security gate.

Mitigates code scanning alerts #229, #230, #231 (actions/untrusted-checkout).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 31, 2026

⚠️ No Changeset found

Latest commit: 3eeb8d5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 31, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Mar 31, 2026 10:16pm

Request Review

@tmilewski tmilewski requested a review from dominic-clerk March 31, 2026 22:16
@tmilewski tmilewski self-assigned this Mar 31, 2026
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 31, 2026

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8217

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8217

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8217

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8217

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8217

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8217

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8217

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8217

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8217

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8217

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8217

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8217

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8217

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8217

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8217

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8217

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8217

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8217

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8217

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8217

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8217

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8217

commit: 3eeb8d5

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 31, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files were modified to enhance security configurations. The .github/workflows/e2e-cleanups.yml and .github/workflows/nightly-checks.yml workflows received workflow-level permissions blocks restricting GitHub token access to read-only repository contents. The .github/workflows/release.yml workflow was updated with persist-credentials: false on the snapshot-release job's checkout action and added job-level read permissions to the cache-for-alternate-node-versions job. These changes restrict default token permissions across multiple workflow files without altering existing job logic or execution steps.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The pull request title clearly and concisely summarizes the main objective—hardening workflow permissions across multiple GitHub Actions workflows.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@tmilewski tmilewski changed the title fix(repo): Harden workflow permissions and snapshot checkout fix(repo): Harden workflow permissions Mar 31, 2026
dominic-clerk
dominic-clerk approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dominic-clerk dominic-clerk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love it, thanks!

@tmilewski tmilewski merged commit 43d2776 into main Apr 1, 2026
54 checks passed
@tmilewski tmilewski deleted the tom/user-5061-remedy-reported-clerkjavascript-code-scanning-issues branch April 1, 2026 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wobsoriano wobsoriano wobsoriano approved these changes

@dominic-clerk dominic-clerk dominic-clerk approved these changes

Assignees

@tmilewski tmilewski

Labels

actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tmilewski @wobsoriano @dominic-clerk