Skip to content

fix: add explicit permissions to CI and integration workflows#34

Merged
weklund merged 3 commits intomainfrom
fix/workflow-permissions
Apr 4, 2026
Merged

fix: add explicit permissions to CI and integration workflows#34
weklund merged 3 commits intomainfrom
fix/workflow-permissions

Conversation

@weklund
Copy link
Copy Markdown
Owner

@weklund weklund commented Apr 4, 2026

Summary

  • Adds permissions: contents: read to ci.yml, integration-nightly.yml, and integration-prerelease.yml
  • Resolves all 4 open CodeQL code-scanning alerts (#1, #2, #3, #4)
  • Follows least-privilege principle — these workflows only need read access to checkout code and run tests
  • release-please.yml and publish.yml already had explicit permissions

Test plan

  • CI passes on this PR (confirms contents: read is sufficient)
  • CodeQL re-scan shows alerts resolved after merge

🤖 Generated with Claude Code

weklund and others added 3 commits April 4, 2026 10:31
@weklund @claude
docs: feature setup command as primary onboarding path in README
3e73ed0 
The interactive `mlx-stack setup` command walks through hardware detection,
model selection, downloading, and stack startup in one guided flow — but it
was completely missing from the README. Now it leads the Quick Start and
CLI Reference sections, with the manual step-by-step flow in a collapsible
details block.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@weklund @claude
fix: add explicit permissions to CI and integration workflows
e460bdb 
Resolves all 4 CodeQL code-scanning alerts for missing workflow
permissions by adding `permissions: contents: read` to ci.yml,
integration-nightly.yml, and integration-prerelease.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@weklund @claude
fix: replace sleep-based sync with polling in flaky follow test
67850d8 
test_follow_handles_empty_file_after_truncation used fixed sleep(1.0)
to wait for the follow thread to observe truncated content, causing
intermittent CI failures. Replaced with wait_for_content() polling
pattern already used by the adjacent test.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@weklund weklund merged commit 0f8bfb0 into main Apr 4, 2026
5 checks passed
@github-actions github-actions bot mentioned this pull request Apr 4, 2026
Merged
weklund pushed a commit that referenced this pull request Apr 4, 2026
@github-actions
chore(main): release 0.3.6 (#35)
c3430ad 
🤖 I have created a release *beep* *boop*
---


## [0.3.6](v0.3.5...v0.3.6)
(2026-04-04)


### Bug Fixes

* add explicit permissions to CI and integration workflows
([#34](#34))
([0f8bfb0](0f8bfb0))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@weklund weklund mentioned this pull request Apr 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weklund