Skip to content

Change workflow permissions level#2369

Merged
ZePan110 merged 1 commit into
mainfrom
ze-fix/gha
Dec 19, 2025
Merged

Change workflow permissions level#2369
ZePan110 merged 1 commit into
mainfrom
ze-fix/gha

Conversation

@ZePan110
Copy link
Copy Markdown
Collaborator

@ZePan110 ZePan110 commented Dec 19, 2025
edited
Loading

Description

Change workflow permissions level

Issues

https://github.com/opea-project/GenAIExamples/security/code-scanning/510

Type of change

List the type of change like below. Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds new functionality)
  • Breaking change (fix or feature that would break existing design and interface)
  • Others (enhancement, documentation, validation, etc.)

Dependencies

List the newly introduced 3rd party dependency if exists.

Tests

Describe the tests that you ran to verify your changes.

@ZePan110
Change workflow permissions level
81d7992 
Signed-off-by: ZePan110 <ze.pan@intel.com>
@ZePan110 ZePan110 requested a review from chensuyue as a code owner December 19, 2025 01:42
Copilot AI review requested due to automatic review settings December 19, 2025 01:42
Copilot AI reviewed Dec 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the security scope of GitHub Actions workflow permissions by moving the contents: write permission from the workflow level to the job level. This follows GitHub's principle of least privilege by limiting write access to only the specific job that requires it, rather than granting it to the entire workflow.

Key changes:

  • Relocated contents: write permission from workflow scope to job scope in the freeze-tag workflow

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 19, 2025

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

@ZePan110 ZePan110 merged commit dfcce16 into main Dec 19, 2025
15 checks passed
@ZePan110 ZePan110 deleted the ze-fix/gha branch December 19, 2025 02:33
cogniware-devops pushed a commit to Cogniware-Inc/GenAIExamples that referenced this pull request Dec 19, 2025
@ZePan110 @cogniware-devops
Change workflow permissions level (opea-project#2369)
4faf78a 
Signed-off-by: ZePan110 <ze.pan@intel.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>
cogniware-devops pushed a commit to Cogniware-Inc/GenAIExamples that referenced this pull request Dec 19, 2025
@ZePan110 @cogniware-devops
Change workflow permissions level (opea-project#2369)
c887478 
Signed-off-by: ZePan110 <ze.pan@intel.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chensuyue chensuyue chensuyue approved these changes

@lvliang-intel lvliang-intel lvliang-intel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ZePan110 @chensuyue @lvliang-intel