Restrict candidate workflow token permissions#5
Merged
bob-codedaptive merged 1 commit intoJul 6, 2026
Merged
Conversation
Contributor
|
Thank you for your contribution to MOOTx01. Before it can be merged we need you to sign our Contributor License Agreement. You can read it here: CLA.md. To sign, post a comment on this pull request with exactly the following text: I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
bob-codedaptive
pushed a commit
that referenced
this pull request
Jul 7, 2026
convergeAlreadyWired() silently re-enabled vault tools by calling mootx01 install without --vault-off. A user who chose the safer vault-disabled posture would have import/export tools re-exposed on the next .pkg upgrade with no user action. Now reads the daemon LaunchAgent plist's MOOTX01_VAULT value before convergence. If it's "0" (user chose --vault-off), passes --vault-off to the convergence install call, preserving the prior posture. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
bob-codedaptive
pushed a commit
that referenced
this pull request
Jul 7, 2026
… monitoring parity #14: release.yml signing steps now require both startsWith(refs/tags/) AND github.event_name == 'push'. workflow_dispatch on a tag ref no longer triggers cert import, signing, or publishing. #13: candidate.yml validates version from Cargo.toml with strict semver regex before any shell interpolation (supply-chain guard). #5: candidate notarization steps guard APPLE_API_KEY_P8 presence before xcrun notarytool — missing secrets skip gracefully. #6: Swift InvertedIndexStore.remove() and deleteAll() now nil cachedPair + RAM mirrors immediately on destructive ops. Rust already nils cached on both paths. #1: Rust vault import response reports COMPLETE with actual stats instead of RUNNING (the Rust import is synchronous). #7: Rust monitoring migration recognizes "unknown" source — no longer re-enables monitoring for Swift-preserved opt-outs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
contents: writeat workflow scope so every job got a write-capableGITHUB_TOKEN, allowing checked-out candidate code or build dependencies to modify repo refs or releases before the gated publish step.Description
contents: writetocontents: readin.github/workflows/candidate.ymlso jobs do not inherit write capability by default.persist-credentials: falseto everyactions/checkoutinvocation in the candidate workflow to prevent checked-out code from reusing the checkout-provided token.contents: writespecifically to theprereleasejob so only the publish/prune step has write rights.ci: restrict candidate workflow token permissions(updated file:.github/workflows/candidate.yml).Testing
ruby -e 'require "yaml"; p YAML.load_file(".github/workflows/candidate.yml").keys', which succeeded.contents: readat the workflow level,persist-credentials: falseon each checkout, andcontents: writeon theprereleasejob, which passed using line-based checks (noPyYAMLavailable in the environment).git diff --checkto ensure no whitespace or diff issues, which passed.Codex Task