add permissions

[bvolovat]

Overview

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow permissions configuration to enforce explicit access controls.

[coderabbitai]

📝 Walkthrough

Walkthrough

A permissions block was added to the pr-merged workflow job, explicitly defining read/write access for actions, id-token, packages, contents, and pull-requests. No functional changes to job logic or execution.

Changes

Cohort / File(s)	Summary
GitHub Workflow Configuration .github/workflows/pr-merged.yaml	Added explicit permissions block to pr-merged job with read access for actions and pull-requests, write access for id-token, packages, and contents.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• Naor-Armo
• matthyx

Poem

🐰 With whiskers twitched and paws held high,
Our workflow now's more secure, oh my!
Permissions added, crystal clear,
The pr-merged job's authority's here! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'add permissions' is vague and generic, failing to clearly communicate what permissions are being added or why.	Revise the title to be more specific and descriptive, e.g., 'Add explicit GitHub workflow permissions to pr-merged job' or 'Configure permissions for pr-merged workflow job'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch run_test_from_private_repo

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

• ✨ 136.113.208.247/32 (new)
• 34.170.211.100/32
• 35.222.179.152/32

Failure to add the new IP will result in interrupted reviews.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/pr-merged.yaml:
- Around line 30-35: Update the parent workflow permissions block to remove
unnecessary broad permissions: in the permissions section (the block containing
actions, id-token, packages, contents, pull-requests) keep only id-token: write
and packages: write; remove contents: write, pull-requests: read, and actions:
read so child jobs (docker-build which declares contents: read and
create-release-and-retag which declares contents: write) can declare their own
permissions explicitly and override the parent as intended.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd "$(git rev-parse --show-toplevel)" 2>/dev/null || cd .

# First, examine the structure and find the workflow files
echo "=== Finding workflow files ==="
fd -t f "pr-merged.yaml" .github/workflows/

echo ""
echo "=== Examining pr-merged.yaml ==="
cat -n .github/workflows/pr-merged.yaml

echo ""
echo "=== Checking for incluster-comp-pr-merged.yaml ==="
fd -t f "incluster-comp-pr-merged.yaml" .github/workflows/

Repository: kubescape/node-agent

Length of output: 2561

---

🏁 Script executed:

# If the reusable workflow exists, examine it
echo "=== Examining incluster-comp-pr-merged.yaml ==="
if [ -f ".github/workflows/incluster-comp-pr-merged.yaml" ]; then
  cat -n .github/workflows/incluster-comp-pr-merged.yaml
else
  echo "File not found, checking variations..."
  fd -t f "*comp*merged*" .github/workflows/ 2>/dev/null | head -20
fi

echo ""
echo "=== Searching for permission usage in reusable workflow ==="
rg -n "permissions:|contents|packages|id-token|pull-requests|actions:" .github/workflows/ -t yaml

Repository: kubescape/node-agent

Length of output: 19574

---

🏁 Script executed:

# Search for actions/tools that might need the permissions
echo "=== Actions and tools that might require permissions ==="
rg -n "uses:|run:" .github/workflows/pr-merged.yaml .github/workflows/incluster-comp-pr-merged.yaml 2>/dev/null -A 2

Repository: kubescape/node-agent

Length of output: 7332

---

Reduce parent workflow permissions; let child jobs declare their own needs.

The parent's contents: write is redundant—both docker-build (which explicitly declares contents: read) and create-release-and-retag (which declares contents: write) override their parent permissions with their own blocks. Remove contents: write from lines 30–35 and let each child job's permission declaration take precedence. Similarly, pull-requests: read and actions: read appear unused; the workflow conditions and called actions do not require them.

Keep only id-token: write and packages: write in the parent job, as they are genuinely needed by the docker-build step (cosign signing and container registry push).

🤖 Prompt for AI Agents

In @.github/workflows/pr-merged.yaml around lines 30 - 35, Update the parent
workflow permissions block to remove unnecessary broad permissions: in the
permissions section (the block containing actions, id-token, packages, contents,
pull-requests) keep only id-token: write and packages: write; remove contents:
write, pull-requests: read, and actions: read so child jobs (docker-build which
declares contents: read and create-release-and-retag which declares contents:
write) can declare their own permissions explicitly and override the parent as
intended.