Skip to content

ci: restrict perf workflow token permissions#34

Merged
saagpatel merged 1 commit into
mainfrom
codex/ci/workflow-permissions
May 18, 2026
Merged

ci: restrict perf workflow token permissions#34
saagpatel merged 1 commit into
mainfrom
codex/ci/workflow-permissions

Conversation

@saagpatel
Copy link
Copy Markdown
Owner

@saagpatel saagpatel commented May 18, 2026

What

  • Add explicit read-only workflow permissions to the perf-enforced workflow.

Why

  • Clears the open code-scanning workflow-permissions alert by avoiding the default write-capable token posture.

How

  • Set top-level permissions: contents: read; existing job-level read permissions remain unchanged.

Testing

  • Commands run: python3 YAML parse for .github/workflows/perf-enforced.yml; GitHub compare check.
  • Results: Workflow YAML parsed successfully; remote branch diff contains only .github/workflows/perf-enforced.yml.

Performance impact

  • Bundle delta: N/A
  • Build time delta: N/A
  • Lighthouse delta: N/A
  • API latency delta: N/A
  • DB query delta: N/A

Risk / Notes

  • Low risk; this workflow only needs repository read access for checkout and local checks.

Screenshots (UI only)

  • N/A

Lockfile rationale (if lockfile changed)

  • N/A

Baseline governance (if .perf-baselines changed)

  • perf-baseline-update label applied: N/A
  • Reviewer signoff: N/A
  • Rollback note: Revert this workflow-only commit if a permission regression appears.

@saagpatel saagpatel merged commit c55f5a4 into main May 18, 2026
24 checks passed
@saagpatel saagpatel deleted the codex/ci/workflow-permissions branch May 18, 2026 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saagpatel