Skip to content

Restrict candidate workflow token permissions#5

Merged
bob-codedaptive merged 1 commit into
stable/1.0.xfrom
codex/fix-candidate-ci-write-token-exposure
Jul 6, 2026
Merged

Restrict candidate workflow token permissions#5
bob-codedaptive merged 1 commit into
stable/1.0.xfrom
codex/fix-candidate-ci-write-token-exposure

Conversation

@bob-codedaptive

Copy link
Copy Markdown
Member

Motivation

  • The candidate CI granted contents: write at workflow scope so every job got a write-capable GITHUB_TOKEN, allowing checked-out candidate code or build dependencies to modify repo refs or releases before the gated publish step.
  • Reduce the repository token blast radius by giving build/test jobs only read access and only allowing write access for the single job that publishes/prunes the prerelease.

Description

  • Change the workflow default permission from contents: write to contents: read in .github/workflows/candidate.yml so jobs do not inherit write capability by default.
  • Add persist-credentials: false to every actions/checkout invocation in the candidate workflow to prevent checked-out code from reusing the checkout-provided token.
  • Grant contents: write specifically to the prerelease job so only the publish/prune step has write rights.
  • Commit message: ci: restrict candidate workflow token permissions (updated file: .github/workflows/candidate.yml).

Testing

  • Ran a lightweight YAML sanity check with ruby -e 'require "yaml"; p YAML.load_file(".github/workflows/candidate.yml").keys', which succeeded.
  • Ran static validation via a Python script that checks for contents: read at the workflow level, persist-credentials: false on each checkout, and contents: write on the prerelease job, which passed using line-based checks (no PyYAML available in the environment).
  • Ran git diff --check to ensure no whitespace or diff issues, which passed.

Codex Task

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution to MOOTx01. Before it can be merged we need you to sign our Contributor License Agreement. You can read it here: CLA.md. To sign, post a comment on this pull request with exactly the following text:


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@bob-codedaptive bob-codedaptive merged commit 05bf91f into stable/1.0.x Jul 6, 2026
@bob-codedaptive bob-codedaptive deleted the codex/fix-candidate-ci-write-token-exposure branch July 6, 2026 14:46
bob-codedaptive pushed a commit that referenced this pull request Jul 7, 2026
convergeAlreadyWired() silently re-enabled vault tools by calling
mootx01 install without --vault-off. A user who chose the safer
vault-disabled posture would have import/export tools re-exposed
on the next .pkg upgrade with no user action.

Now reads the daemon LaunchAgent plist's MOOTX01_VAULT value before
convergence. If it's "0" (user chose --vault-off), passes --vault-off
to the convergence install call, preserving the prior posture.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
bob-codedaptive pushed a commit that referenced this pull request Jul 7, 2026
… monitoring parity

#14: release.yml signing steps now require both startsWith(refs/tags/)
AND github.event_name == 'push'. workflow_dispatch on a tag ref no
longer triggers cert import, signing, or publishing.

#13: candidate.yml validates version from Cargo.toml with strict
semver regex before any shell interpolation (supply-chain guard).

#5: candidate notarization steps guard APPLE_API_KEY_P8 presence
before xcrun notarytool — missing secrets skip gracefully.

#6: Swift InvertedIndexStore.remove() and deleteAll() now nil
cachedPair + RAM mirrors immediately on destructive ops. Rust
already nils cached on both paths.

#1: Rust vault import response reports COMPLETE with actual stats
instead of RUNNING (the Rust import is synchronous).

#7: Rust monitoring migration recognizes "unknown" source — no
longer re-enables monitoring for Swift-preserved opt-outs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant