Only request read permission for PR scan#16295
Only request read permission for PR scan#16295AlanCoding wants to merge 1 commit intoansible:develfrom
Conversation
📝 WalkthroughWalkthroughThe GitHub Actions workflow Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
didn't work 
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/pr_body_check.yml (1)
14-16:packages: readis still over-scoped — the permission can be dropped entirely.No step in this workflow interacts with GitHub Packages (no container pulls/pushes, no package publishing). The
packagesentry can be removed rather than downgraded. That said, changing it fromwritetoreadis the correct direction and resolves the fork-PR approval gate described in the PR.♻️ Proposed cleanup
permissions: - packages: read contents: read🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr_body_check.yml around lines 14 - 16, The workflow's permissions block is still granting packages: read unnecessarily; remove the packages line entirely from the permissions block so only required permissions remain (e.g., keep contents: read if needed). Locate the permissions block (the "permissions:" mapping and the "packages:" key) and delete the "packages: read" entry, ensuring YAML remains valid and other permission keys like "contents: read" are preserved.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/pr_body_check.yml:
- Around line 14-16: The workflow's permissions block is still granting
packages: read unnecessarily; remove the packages line entirely from the
permissions block so only required permissions remain (e.g., keep contents: read
if needed). Locate the permissions block (the "permissions:" mapping and the
"packages:" key) and delete the "packages: read" entry, ensuring YAML remains
valid and other permission keys like "contents: read" are preserved.
|
Also see
|
AlanCoding
force-pushed
the
read_only
branch
from
0e6d1b3 to
37bb2c6
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr_body_check.yml:
- Around line 14-16: The workflow declares an unused permissions block (the keys
`permissions`, `packages`, and `contents`) even though the job only reads `${{
github.event.pull_request.body }}` and never uses `actions/checkout` or package
registries; remove the entire `permissions:` block (or leave it present but
empty) from the workflow to eliminate unnecessary scopes (`packages: read`,
`contents: read`) and keep the workflow minimal.
| permissions: | ||
| packages: write | ||
| packages: read | ||
| contents: read |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat .github/workflows/pr_body_check.ymlRepository: ansible/awx
Length of output: 1512
🏁 Script executed:
#!/bin/bash
# Check whether any step in the workflow references GITHUB_TOKEN with packages scope
# or calls any GitHub Packages API/registry endpoint.
rg -n "packages\|ghcr\.io\|pkg\.github\.com\|npm\.pkg\.github\.com" .github/workflows/pr_body_check.ymlRepository: ansible/awx
Length of output: 37
Remove unused packages and contents permissions from the workflow
The workflow declares packages: read and contents: read, but neither is used. The rg search confirms zero references to GitHub Container Registry or package registries throughout the workflow. The only data source is ${{ github.event.pull_request.body }} (from the webhook event context), which requires no repository access. Since no actions/checkout step exists, contents: read is unnecessary.
Remove the entire permissions block or leave it empty:
Fix: drop unused permissions
- permissions:
- packages: read
- contents: readNote: The "workflow awaiting approval" banner is controlled by repository settings (Settings → Actions → Fork pull request workflows), independent of declared permission scopes. Changing packages: write to packages: read would not have resolved the approval gate.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| packages: write | |
| packages: read | |
| contents: read |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr_body_check.yml around lines 14 - 16, The workflow
declares an unused permissions block (the keys `permissions`, `packages`, and
`contents`) even though the job only reads `${{ github.event.pull_request.body
}}` and never uses `actions/checkout` or package registries; remove the entire
`permissions:` block (or leave it present but empty) from the workflow to
eliminate unnecessary scopes (`packages: read`, `contents: read`) and keep the
workflow minimal.
|
1 participant
SUMMARY
attempted fix for the approval button
ISSUE TYPE
COMPONENT NAME
Note
Low Risk
CI workflow permission tightening only; no product code or data-handling logic is affected.
Overview
Reduces the
pr_body_check.ymlGitHub Actions workflow permissions by changingpackages: writetopackages: read, keepingcontents: readunchanged.Written by Cursor Bugbot for commit 37bb2c6. This will update automatically on new commits. Configure here.
Summary by CodeRabbit