Skip to content

chore: tighten organization gitleaks workflow #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BreakableHoodie merged 1 commit into from
Nov 14, 2025
Merged

chore: tighten organization gitleaks workflow #1

BreakableHoodie merged 1 commit into from
Nov 14, 2025

Conversation

@BreakableHoodie
Copy link
Contributor

@BreakableHoodie BreakableHoodie commented Nov 14, 2025

Summary

  • restrict the gitleaks workflow token to the minimum permissions it needs
  • keep the workflow non-blocking while we continue socializing the process

Testing

  • not run (workflow change only)

@BreakableHoodie BreakableHoodie merged commit 131f1c7 into main Nov 14, 2025
3 checks passed
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Nov 14, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/gitleaks.yml
Comment on lines 8 to 10
permissions:
actions: write
contents: read
pull-requests: write
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore actions write permission for artifact upload

The workflow token no longer requests actions: write, but the “Upload redacted report” step uses actions/upload-artifact@v4 to create an artifact. GitHub requires actions: write on GITHUB_TOKEN for artifact uploads; without it the step will return 403 and the job will fail whenever findings exist, defeating the stated goal of keeping the scan non‑blocking. Consider keeping read-only scopes elsewhere but still requesting actions: write or otherwise skipping the upload.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BreakableHoodie