Conversation
|
|
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR adds Dependabot automation for GitHub Actions updates and hardens GitHub Actions workflows by applying least-privilege permissions and modernizing tooling installation in CI.
Changes:
- Add
.github/dependabot.ymlto open weekly grouped GitHub Actions update PRs with standardized metadata. - Apply default
permissions: {}to workflows and set job-level permissions explicitly. - Update workflow steps in
compile.yml(checkout/upload-artifact versions, credential persistence, and sha256-verified downloads).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/security-code-scanner.yml |
Locks default token permissions down and relies on job-level permissions for the reusable scanner workflow call. |
.github/workflows/compile.yml |
Adds least-privilege permissions and replaces ad-hoc installs with sha256-verified downloads and consolidated apt installs; updates checkout/upload-artifact actions. |
.github/dependabot.yml |
Introduces Dependabot configuration for weekly GitHub Actions dependency updates with grouping and PR metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| archive-build-spec: | ||
| name: Build & Upload Specification PDF | ||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
permissions: {} at the workflow level removes all default GITHUB_TOKEN scopes, but this job later uploads an artifact. actions/upload-artifact typically requires the token to have actions: write; with only contents: read granted here, the upload step may be denied. Consider adding the minimal required actions permission at the job level (or to just the upload step via a separate job if you want to keep tighter scoping).
| contents: read | |
| contents: read | |
| actions: write |
There was a problem hiding this comment.
I think it is not. That said, the original workflow never ran with restricted permissions, so this hasn't been tested empirically for this repo. The workflow dispatch will be the definitive proof. If the upload step fails with a 403, then adding actions: write is the fix, but I don't expect it to.
|
@OlivierBBB I've opened a new pull request, #367, to work on those changes. Once the pull request is ready, I'll request review from you. |
OlivierBBB
left a comment
OlivierBBB
left a comment
There was a problem hiding this comment.
LGTM, but I'm not particularly knowledgeable on this stuff
Note
Low Risk
Changes are limited to CI/configuration and should not affect runtime behavior; main risk is CI failures due to updated action versions or stricter permissions/tool install steps.
Overview
Adds a new
.github/dependabot.ymlto enable weekly Dependabot updates for GitHub Actions, with grouping/labeling and PR limits.Hardens CI workflows by defaulting
permissionsto none and granting job-level minimal access, updatesactions/checkoutandactions/upload-artifactto@v6, and makes the spec build more reproducible by verifying SHA256 for downloaded font/tectonicartifacts and installing required system packages in a single step.Updates
MakefilebuildOnGithub-%to invoke systemtectonic(matching the workflow install) instead of a repo-local binary.Written by Cursor Bugbot for commit 0ebab0f. This will update automatically on new commits. Configure here.