fix: add workflow permissions and concurrency#43
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix prepared fixes for all 4 issues found in the latest run.
- ✅ Fixed: Workflow triggers under concurrency
- Moved push/pull_request/schedule triggers under on: and placed permissions and concurrency as separate top-level keys in codeql-rust, pages-deploy, and scorecard.
- ✅ Resolved by another fix: TruffleHog token not interpolated
- Removed the escaped GH_TOKEN env block by switching the scan to trufflehog git file://., which does not require GitHub API authentication.
- ✅ Fixed: TruffleHog github missing repo
- Replaced trufflehog github with trufflehog git file://. to scan the checked-out repository history, matching other workflows in the repo.
- ✅ Fixed: Release job concurrency cancel
- Set cancel-in-progress to false on the release workflow so in-flight cargo publish and promotion runs are not cancelled by subsequent pushes.
Or push these changes by commenting:
@cursor push ed4bbf6a22
Preview (ed4bbf6a22)
diff --git a/.github/workflows/codeql-rust.yml b/.github/workflows/codeql-rust.yml
--- a/.github/workflows/codeql-rust.yml
+++ b/.github/workflows/codeql-rust.yml
@@ -1,13 +1,6 @@
name: CodeQL (Rust)
on:
-permissions:
- contents: read
-
-concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
- cancel-in-progress: true
-
push:
branches: [main]
pull_request:
@@ -16,6 +9,13 @@
- cron: '17 4 * * 2'
workflow_dispatch:
+permissions:
+ contents: read
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
analyze:
name: Analyze (rust)
diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml
--- a/.github/workflows/pages-deploy.yml
+++ b/.github/workflows/pages-deploy.yml
@@ -1,6 +1,11 @@
name: Deploy Docs
on:
+ push:
+ branches: [main, master]
+ paths:
+ - 'docs/**'
+
permissions:
contents: read
@@ -8,11 +13,6 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
- push:
- branches: [main, master]
- paths:
- - 'docs/**'
-
jobs:
deploy:
runs-on: ubuntu-24.04
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
- cancel-in-progress: true
+ cancel-in-progress: false
jobs:
release:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,12 +1,5 @@
name: OpenSSF Scorecard
on:
-permissions:
- contents: read
-
-concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
- cancel-in-progress: true
-
branch_protection_rule:
schedule:
- cron: '17 3 * * 6'
@@ -15,6 +8,10 @@
permissions: read-all
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
analysis:
name: Scorecard analysis
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -19,6 +19,4 @@
with:
fetch-depth: 0
- uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad # was: @main
- - run: trufflehog github --only-verified --no-update
- env:
- GH_TOKEN: \${{ github.token }}
+ - run: trufflehog git file://. --only-verified --no-updateYou can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 355f43a. Configure here.
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
There was a problem hiding this comment.
Workflow triggers under concurrency
High Severity
permissions and concurrency were inserted directly under on: before event keys, so push, pull_request, and other triggers are nested under concurrency instead of on. The workflows no longer declare valid triggers and will not run as intended.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 355f43a. Configure here.
| - uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad # was: @main | ||
| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ github.token }} |
There was a problem hiding this comment.
TruffleHog token not interpolated
High Severity
The GH_TOKEN env value uses a leading backslash before the expression, so GitHub Actions likely passes the literal string instead of the job token. The trufflehog github step may run unauthenticated or fail verification for --only-verified.
Reviewed by Cursor Bugbot for commit 355f43a. Configure here.
| with: | ||
| extra_args: --only-verified | ||
| - uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad # was: @main | ||
| - run: trufflehog github --only-verified --no-update |
There was a problem hiding this comment.
TruffleHog github missing repo
Medium Severity
The job checks out the repo but runs trufflehog github without --repo (or equivalent scope). That subcommand targets GitHub API repos, unlike the prior action’s git/filesystem scan, so coverage of this repository’s commits may be wrong or empty.
Reviewed by Cursor Bugbot for commit 355f43a. Configure here.
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
Release job concurrency cancel
Medium Severity
New workflow concurrency uses cancel-in-progress: true on main for the release workflow. A second push while cargo publish or promotion is running can cancel the in-flight run and leave publishing or promotion incomplete.
Reviewed by Cursor Bugbot for commit 355f43a. Configure here.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
355f43a to
b6d1d5f
Compare
| on: | ||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| push: |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The workflow-level permissions and concurrency blocks are placed between on: and its trigger keys at the wrong indentation, so the push/pull_request/schedule keys are no longer valid children of on:. This yields invalid/broken workflow YAML in this file, and the same pattern appears in .github/workflows/pages-deploy.yml and .github/workflows/scorecard.yml, preventing those workflows from triggering correctly.
Suggestion: Move permissions and concurrency to be top-level siblings of on (e.g. permissions/concurrency/on all at the same indentation) in all three files, then run a GitHub Actions/YAML linter to confirm the workflows parse and the triggers are correctly nested under on:.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/codeql-rust.yml
**Line:** 3:11
**Comment:**
*CRITICAL: The workflow-level `permissions` and `concurrency` blocks are placed between `on:` and its trigger keys at the wrong indentation, so the `push`/`pull_request`/`schedule` keys are no longer valid children of `on:`. This yields invalid/broken workflow YAML in this file, and the same pattern appears in `.github/workflows/pages-deploy.yml` and `.github/workflows/scorecard.yml`, preventing those workflows from triggering correctly.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - run: trufflehog github --only-verified --no-update | ||
| env: | ||
| GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} | ||
| GH_TOKEN: \${{ github.token }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The new CLI-based TruffleHog step sets GH_TOKEN to the literal string \${{ github.token }} (escaped), so the environment variable does not receive a real GitHub token and TruffleHog's github scan will run without valid authentication or fail when calling the GitHub API.
Suggestion: Change the env to use an actual GitHub expression (e.g. GH_TOKEN: ${{ github.token }} or GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} without escaping) and keep a single authoritative token source for this step, then verify in a run that the TruffleHog command sees an authenticated token.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 22:24
**Comment:**
*CRITICAL: The new CLI-based TruffleHog step sets `GH_TOKEN` to the literal string `\${{ github.token }}` (escaped), so the environment variable does not receive a real GitHub token and TruffleHog's `github` scan will run without valid authentication or fail when calling the GitHub API.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
|
CodeAnt AI finished reviewing your PR. |
|
Kilo Code Review could not run — your account is out of credits. Add credits or switch to a free model to enable reviews on this change. |






User description
Summary
permissions:andconcurrency:blocks across 18 CI workflows.journey-gate.ymlworkflow alongside the rest.Test plan
🤖 Generated with Claude Code
Note
Medium Risk
Mostly workflow hygiene, but concurrency can cancel runs mid-flight and pinned SHAs change release-drafter/machete behavior; malformed
on:/permissionsnesting in a couple files (if present) could break those workflows entirely.Overview
CI workflows now use shared
concurrencygroups (workflow + ref,cancel-in-progress: true) so newer pushes on the same branch supersede in-flight runs instead of stacking duplicate jobs.Several workflows gain explicit read-only
permissionsat the workflow level (e.g. CodeQL Rust, Pages deploy, Scorecard), andsecrets.GITHUB_TOKENis replaced withgithub.tokenwhere audit/benchmark/TruffleHog need API access.cargo-macheteand the release-drafter reusable workflow move from floating@mainrefs to pinned commit SHAs.journey-gate.ymlgets the same concurrency pattern as the rest.Reviewed by Cursor Bugbot for commit b6d1d5f. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Harden CI and security workflows while reducing duplicate runs
What Changed
Impact
✅ Fewer duplicate CI runs✅ Lower risk from workflow permission misuse✅ More stable release and security checks💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.