ci: update workflows to follow our new guidelines for gh actions #1250
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
tj098895
force-pushed
the
1253_fix_security_issues_libecalc
branch
from
bbc422c to
86d3d35
Compare
tj098895
force-pushed
the
1253_fix_security_issues_libecalc
branch
2 times, most recently
from
09a001d to
d92b858
Compare
tj098895
force-pushed
the
1253_fix_security_issues_libecalc
branch
from
d92b858 to
ec0b88b
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates GitHub Actions workflows to follow new organizational guidelines for workflow security and naming. It implements the principle of least privilege by setting workflow-level permissions to empty (permissions: {}) and granting minimal, specific permissions at the job level. The changes also improve clarity by renaming workflows to better describe their purpose and distinguishing between event-based and reusable workflows.
Key changes:
- Set explicit minimal permissions at workflow and job levels across all workflow files
- Renamed workflows and jobs for better clarity (e.g., "Pre CI" → "Ensure Code Quality", "lib-ci" → "test-library")
- Removed redundant comments explaining workflow triggers
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/test-library.yml |
Added workflow-level permissions: {} and job-level contents: read; renamed job from "run-tests" to "test-library" |
.github/workflows/test-example-notebooks.yml |
Added workflow-level permissions: {} and job-level contents: read; renamed job to "test-example-notebooks" |
.github/workflows/test-docs.yml |
Added workflow-level permissions: {} and job-level contents: read; renamed workflow to "Build and Test Docs" and job to "build-docs" |
.github/workflows/release-please.yml |
Added workflow-level permissions: {}, expanded job-level permissions from write-all to specific permissions, added contents: write to create-output-artifact job |
.github/workflows/publish-libecalc.yml |
Added workflow-level permissions: {} and job-level contents: read; renamed jobs and added descriptive comment |
.github/workflows/publish-docs.yml |
Added workflow-level permissions: {} and job-level contents: write with explanatory comment |
.github/workflows/on-push-main-branch.yml |
Added workflow-level permissions: {} and job-level permissions; renamed workflow and jobs to use reusable workflow names |
.github/workflows/on-push-any-branch.yml |
Added workflow-level permissions: {} and renamed jobs to match reusable workflow names |
.github/workflows/ensure-code-quality.yml |
Added workflow-level permissions: {} and job-level contents: read; renamed workflow and job |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/release-please.yml
Outdated
| workflow_dispatch: # Workflow dispatch is used for manual triggers. | ||
| workflow_dispatch: | ||
| workflow_run: | ||
| workflows: [ "Main CI/CD" ] |
There was a problem hiding this comment.
The workflow name reference "Main CI/CD" is outdated. This workflow has been renamed to "On push/merge to main" in this PR (see .github/workflows/on-push-main-branch.yml). Update the reference to match:
workflows: [ "On push/merge to main" ]Without this change, the release-please workflow will not be triggered after pushes to the main branch.
| workflows: [ "Main CI/CD" ] | |
| workflows: [ "On push/merge to main" ] |
.github/workflows/release-please.yml
Outdated
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
The contents: write permission is unnecessary for this job. The job only creates local files and uploads them as artifacts using actions/upload-artifact@v5, which doesn't require contents: write. The artifact upload action works with default permissions. Consider removing this permission declaration or changing it to contents: read if checkout is added in the future.
| permissions: | |
| contents: write | |
| # permissions: block removed; default permissions are sufficient |
| ensure-code-quality: | ||
| permissions: | ||
| contents: read | ||
| uses: ./.github/workflows/ensure-code-quality.yml | ||
|
|
||
| lib-ci: | ||
| uses: ./.github/workflows/lib-ci.yml | ||
| test-library: | ||
| permissions: | ||
| contents: read | ||
| uses: ./.github/workflows/test-library.yml | ||
|
|
||
| docs-publish: | ||
| uses: ./.github/workflows/docs-publish.yml | ||
| publish-docs: | ||
| permissions: | ||
| contents: write | ||
| uses: ./.github/workflows/publish-docs.yml |
There was a problem hiding this comment.
These permissions declarations are ineffective and misleading. When calling reusable workflows with uses:, permissions set at the job level in the calling workflow are ignored. The reusable workflow's own permissions (defined in the called workflow file) take precedence. Consider removing these declarations to avoid confusion, as they don't actually grant any permissions.
tj098895
force-pushed
the
1253_fix_security_issues_libecalc
branch
5 times, most recently
from
20c1b78 to
9fdede3
Compare
minimize permissions needed, differentiate between event based and reusable workflows Refs: equinor/ecalc-internal#1253
tj098895
force-pushed
the
1253_fix_security_issues_libecalc
branch
from
9fdede3 to
67dae75
Compare
minimize permissions needed, differentiate between event based and reusable workflows
Refs: equinor/ecalc-internal#1253
Type of Work
See here (internal): https://github.com/equinor/ecalc-internal/discussions/1044
Have you remembered and considered?
docs/drafts/next.draft.md)docs/docs/migration_guides/)BREAKING:in footer or!in headerWhat is this PR all about?
What else did you consider?
Between the lines?