add permissions #710

coderabbitai · 2026-02-03T16:20:56Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd "$(git rev-parse --show-toplevel)" 2>/dev/null || cd . # First, examine the structure and find the workflow files echo "=== Finding workflow files ===" fd -t f "pr-merged.yaml" .github/workflows/ echo "" echo "=== Examining pr-merged.yaml ===" cat -n .github/workflows/pr-merged.yaml echo "" echo "=== Checking for incluster-comp-pr-merged.yaml ===" fd -t f "incluster-comp-pr-merged.yaml" .github/workflows/

Repository: kubescape/node-agent

Length of output: 2561

🏁 Script executed:

# If the reusable workflow exists, examine it echo "=== Examining incluster-comp-pr-merged.yaml ===" if [ -f ".github/workflows/incluster-comp-pr-merged.yaml" ]; then cat -n .github/workflows/incluster-comp-pr-merged.yaml else echo "File not found, checking variations..." fd -t f "*comp*merged*" .github/workflows/ 2>/dev/null | head -20 fi echo "" echo "=== Searching for permission usage in reusable workflow ===" rg -n "permissions:|contents|packages|id-token|pull-requests|actions:" .github/workflows/ -t yaml

Repository: kubescape/node-agent

Length of output: 19574

🏁 Script executed:

# Search for actions/tools that might need the permissions echo "=== Actions and tools that might require permissions ===" rg -n "uses:|run:" .github/workflows/pr-merged.yaml .github/workflows/incluster-comp-pr-merged.yaml 2>/dev/null -A 2

Repository: kubescape/node-agent

Length of output: 7332

Reduce parent workflow permissions; let child jobs declare their own needs.

The parent's contents: write is redundant—both docker-build (which explicitly declares contents: read) and create-release-and-retag (which declares contents: write) override their parent permissions with their own blocks. Remove contents: write from lines 30–35 and let each child job's permission declaration take precedence. Similarly, pull-requests: read and actions: read appear unused; the workflow conditions and called actions do not require them.

Keep only id-token: write and packages: write in the parent job, as they are genuinely needed by the docker-build step (cosign signing and container registry push).

🤖 Prompt for AI Agents

In @.github/workflows/pr-merged.yaml around lines 30 - 35, Update the parent workflow permissions block to remove unnecessary broad permissions: in the permissions section (the block containing actions, id-token, packages, contents, pull-requests) keep only id-token: write and packages: write; remove contents: write, pull-requests: read, and actions: read so child jobs (docker-build which declares contents: read and create-release-and-retag which declares contents: write) can declare their own permissions explicitly and override the parent as intended.

-Original file line number
+Diff line change
@@ Expand Up / @@ -27,6 +27,12 @@ jobs: @@
       pr-merged:
         if: ${{ github.event.pull_request.merged == true }} ## Skip if not merged
         needs: reset-run-number
+        permissions:
+          actions: read
+          id-token: write
+          packages: write
+          contents: write
+          pull-requests: read
         uses: ./.github/workflows/incluster-comp-pr-merged.yaml
         with:
           IMAGE_NAME: quay.io/${{ github.repository_owner }}/node-agent
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add permissions #710

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot Feb 3, 2026

Uh oh!

add permissions #710

Uh oh!

add permissions #710

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!