Skip to content

fix: add workflow permissions and concurrency#43

Merged
KooshaPari merged 1 commit into
mainfrom
fix/workflow-permissions-concurrency-0605
Jun 5, 2026
Merged

fix: add workflow permissions and concurrency#43
KooshaPari merged 1 commit into
mainfrom
fix/workflow-permissions-concurrency-0605

Conversation

@KooshaPari

@KooshaPari KooshaPari commented Jun 5, 2026

Copy link
Copy Markdown
Owner

User description

Summary

  • Add explicit workflow-level permissions: and concurrency: blocks across 18 CI workflows.
  • Add new journey-gate.yml workflow alongside the rest.

Test plan

  • Inspected workflow diffs locally
  • CI unavailable due to account Actions billing constraint

🤖 Generated with Claude Code


Note

Medium Risk
Mostly workflow hygiene, but concurrency can cancel runs mid-flight and pinned SHAs change release-drafter/machete behavior; malformed on:/permissions nesting in a couple files (if present) could break those workflows entirely.

Overview
CI workflows now use shared concurrency groups (workflow + ref, cancel-in-progress: true) so newer pushes on the same branch supersede in-flight runs instead of stacking duplicate jobs.

Several workflows gain explicit read-only permissions at the workflow level (e.g. CodeQL Rust, Pages deploy, Scorecard), and secrets.GITHUB_TOKEN is replaced with github.token where audit/benchmark/TruffleHog need API access. cargo-machete and the release-drafter reusable workflow move from floating @main refs to pinned commit SHAs. journey-gate.yml gets the same concurrency pattern as the rest.

Reviewed by Cursor Bugbot for commit b6d1d5f. Bugbot is set up for automated code reviews on this repo. Configure here.


CodeAnt-AI Description

Harden CI and security workflows while reducing duplicate runs

What Changed

  • New workflow runs now cancel older runs on the same branch, so CI, checks, and scans stop stacking up.
  • Several workflows now run with read-only access by default, and a few jobs use the built-in token for audit and benchmark checks.
  • Release, promotion, and secret-scanning steps now use pinned versions or a direct CLI flow, which reduces the chance of unexpected changes from upstream updates.
  • The secret scan workflow now runs through the TruffleHog CLI instead of the previous action-based step.

Impact

✅ Fewer duplicate CI runs
✅ Lower risk from workflow permission misuse
✅ More stable release and security checks

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@codeant-ai

codeant-ai Bot commented Jun 5, 2026

Copy link
Copy Markdown

CodeAnt AI is reviewing your PR.


Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@codeant-ai codeant-ai Bot added the size:M This PR changes 30-99 lines, ignoring generated files label Jun 5, 2026
@KooshaPari KooshaPari closed this Jun 5, 2026
@KooshaPari KooshaPari reopened this Jun 5, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 4 potential issues.

Fix All in Cursor

Bugbot Autofix prepared fixes for all 4 issues found in the latest run.

  • ✅ Fixed: Workflow triggers under concurrency
    • Moved push/pull_request/schedule triggers under on: and placed permissions and concurrency as separate top-level keys in codeql-rust, pages-deploy, and scorecard.
  • ✅ Resolved by another fix: TruffleHog token not interpolated
    • Removed the escaped GH_TOKEN env block by switching the scan to trufflehog git file://., which does not require GitHub API authentication.
  • ✅ Fixed: TruffleHog github missing repo
    • Replaced trufflehog github with trufflehog git file://. to scan the checked-out repository history, matching other workflows in the repo.
  • ✅ Fixed: Release job concurrency cancel
    • Set cancel-in-progress to false on the release workflow so in-flight cargo publish and promotion runs are not cancelled by subsequent pushes.

Create PR

Or push these changes by commenting:

@cursor push ed4bbf6a22
Preview (ed4bbf6a22)
diff --git a/.github/workflows/codeql-rust.yml b/.github/workflows/codeql-rust.yml
--- a/.github/workflows/codeql-rust.yml
+++ b/.github/workflows/codeql-rust.yml
@@ -1,13 +1,6 @@
 name: CodeQL (Rust)
 
 on:
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
   push:
     branches: [main]
   pull_request:
@@ -16,6 +9,13 @@
     - cron: '17 4 * * 2'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: Analyze (rust)

diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml
--- a/.github/workflows/pages-deploy.yml
+++ b/.github/workflows/pages-deploy.yml
@@ -1,6 +1,11 @@
 name: Deploy Docs
 
 on:
+  push:
+    branches: [main, master]
+    paths:
+      - 'docs/**'
+
 permissions:
   contents: read
 
@@ -8,11 +13,6 @@
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-  push:
-    branches: [main, master]
-    paths:
-      - 'docs/**'
-
 jobs:
   deploy:
     runs-on: ubuntu-24.04

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: false
 
 jobs:
   release:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,12 +1,5 @@
 name: OpenSSF Scorecard
 on:
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
   branch_protection_rule:
   schedule:
     - cron: '17 3 * * 6'
@@ -15,6 +8,10 @@
 
 permissions: read-all
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analysis:
     name: Scorecard analysis

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -19,6 +19,4 @@
         with:
           fetch-depth: 0
       - uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad  # was: @main
-      - run: trufflehog github --only-verified --no-update
-        env:
-          GH_TOKEN: \${{ github.token }}
+      - run: trufflehog git file://. --only-verified --no-update

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit 355f43a. Configure here.

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workflow triggers under concurrency

High Severity

permissions and concurrency were inserted directly under on: before event keys, so push, pull_request, and other triggers are nested under concurrency instead of on. The workflows no longer declare valid triggers and will not run as intended.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 355f43a. Configure here.

- uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad # was: @main
- run: trufflehog github --only-verified --no-update
env:
GH_TOKEN: \${{ github.token }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TruffleHog token not interpolated

High Severity

The GH_TOKEN env value uses a leading backslash before the expression, so GitHub Actions likely passes the literal string instead of the job token. The trufflehog github step may run unauthenticated or fail verification for --only-verified.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 355f43a. Configure here.

with:
extra_args: --only-verified
- uses: trufflehog/actions/setup@17456cf5a9c8be7821b4dc568702b5f43650a8ad # was: @main
- run: trufflehog github --only-verified --no-update

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TruffleHog github missing repo

Medium Severity

The job checks out the repo but runs trufflehog github without --repo (or equivalent scope). That subcommand targets GitHub API repos, unlike the prior action’s git/filesystem scan, so coverage of this repository’s commits may be wrong or empty.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 355f43a. Configure here.


concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release job concurrency cancel

Medium Severity

New workflow concurrency uses cancel-in-progress: true on main for the release workflow. A second push while cargo publish or promotion is running can cancel the in-flight run and leave publishing or promotion incomplete.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 355f43a. Configure here.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@KooshaPari KooshaPari force-pushed the fix/workflow-permissions-concurrency-0605 branch from 355f43a to b6d1d5f Compare June 5, 2026 13:54
Comment on lines 3 to 11
on:
permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

push:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The workflow-level permissions and concurrency blocks are placed between on: and its trigger keys at the wrong indentation, so the push/pull_request/schedule keys are no longer valid children of on:. This yields invalid/broken workflow YAML in this file, and the same pattern appears in .github/workflows/pages-deploy.yml and .github/workflows/scorecard.yml, preventing those workflows from triggering correctly.

Suggestion: Move permissions and concurrency to be top-level siblings of on (e.g. permissions/concurrency/on all at the same indentation) in all three files, then run a GitHub Actions/YAML linter to confirm the workflows parse and the triggers are correctly nested under on:.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/codeql-rust.yml
**Line:** 3:11
**Comment:**
	*CRITICAL: The workflow-level `permissions` and `concurrency` blocks are placed between `on:` and its trigger keys at the wrong indentation, so the `push`/`pull_request`/`schedule` keys are no longer valid children of `on:`. This yields invalid/broken workflow YAML in this file, and the same pattern appears in `.github/workflows/pages-deploy.yml` and `.github/workflows/scorecard.yml`, preventing those workflows from triggering correctly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

Comment on lines 22 to +24
- run: trufflehog github --only-verified --no-update
env:
GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: \${{ github.token }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The new CLI-based TruffleHog step sets GH_TOKEN to the literal string \${{ github.token }} (escaped), so the environment variable does not receive a real GitHub token and TruffleHog's github scan will run without valid authentication or fail when calling the GitHub API.

Suggestion: Change the env to use an actual GitHub expression (e.g. GH_TOKEN: ${{ github.token }} or GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} without escaping) and keep a single authoritative token source for this step, then verify in a run that the TruffleHog command sees an authenticated token.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/trufflehog.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The new CLI-based TruffleHog step sets `GH_TOKEN` to the literal string `\${{ github.token }}` (escaped), so the environment variable does not receive a real GitHub token and TruffleHog's `github` scan will run without valid authentication or fail when calling the GitHub API.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

@sonarqubecloud

sonarqubecloud Bot commented Jun 5, 2026

Copy link
Copy Markdown

@codeant-ai

codeant-ai Bot commented Jun 5, 2026

Copy link
Copy Markdown

CodeAnt AI finished reviewing your PR.

@KooshaPari KooshaPari merged commit cac3d16 into main Jun 5, 2026
11 of 15 checks passed
@KooshaPari KooshaPari deleted the fix/workflow-permissions-concurrency-0605 branch June 5, 2026 13:56
@kilo-code-bot

kilo-code-bot Bot commented Jun 6, 2026

Copy link
Copy Markdown

Kilo Code Review could not run — your account is out of credits.

Add credits or switch to a free model to enable reviews on this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:M This PR changes 30-99 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant