CI - Merge hooks #4224
Draft
CI - Merge hooks #4224
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bfops
commented
Feb 6, 2026
| owner: 'clockworklabs', | ||
| repo: 'SpacetimeDBPrivate', | ||
| workflow_id: 'public-pr-merge.yml', | ||
| ref: 'bfops/smarter-internal-tests', |
Collaborator
Author
There was a problem hiding this comment.
before merging:
Suggested change
| ref: 'bfops/smarter-internal-tests', | |
| ref: 'master', |
bfops
commented
Feb 6, 2026
|
|
||
| invokePrivate: | ||
| runs-on: ubuntu-latest | ||
| if: github.event.pull_request.merged == true |
Collaborator
Author
There was a problem hiding this comment.
before merging:
Suggested change
| if: github.event.pull_request.merged == true | |
| if: github.event.pull_request.merged == true && | |
| github.event.pull_request.base.ref == 'master' |
# Description of Changes <!-- Please describe your change, mention any related tickets, and so on here. --> # API and ABI breaking changes <!-- If this is an API or ABI breaking change, please apply the corresponding GitHub label. --> # Expected complexity level and risk <!-- How complicated do you think these changes are? Grade on a scale from 1 to 5, where 1 is a trivial change, and 5 is a deep-reaching and complex change. This complexity rating applies not only to the complexity apparent in the diff, but also to its interactions with existing and future code. If you answered more than a 2, explain what is complex about the PR, and what other components it interacts with in potentially concerning ways. --> # Testing <!-- Describe any testing you've done, and any testing you'd like your reviewers to do, so that you're confident that all the changes work as expected! --> - [ ] <!-- maybe a test you want to do --> - [ ] <!-- maybe a test you want a reviewer to do, so they can check it off when they're satisfied. --> Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
Comment on lines
+75
to
+91
| runs-on: ubuntu-latest | ||
| if: github.event.pull_request.merged == true | ||
| steps: | ||
| - name: Dispatch private merge workflow | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| github-token: ${{ secrets.SPACETIMEDB_PRIVATE_TOKEN }} | ||
| script: | | ||
| await github.rest.actions.createWorkflowDispatch({ | ||
| owner: 'clockworklabs', | ||
| repo: 'SpacetimeDBPrivate', | ||
| workflow_id: 'public-pr-merge.yml', | ||
| ref: 'bfops/smarter-internal-tests', | ||
| inputs: { | ||
| public_pr_number: String(context.payload.pull_request.number), | ||
| } | ||
| }); |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
In general, the fix is to add an explicit permissions: block either at the workflow root (to apply to all jobs) or per job, granting only the scopes the workflow needs. Since this workflow appears to only need read access to repository contents and PR metadata via GITHUB_TOKEN, it can safely use contents: read at the workflow level as a minimal baseline. If in the future a job requires additional permissions, they can be added on that specific job.
The single best change here is: add a workflow-level permissions: block near the top of .github/workflows/discord-posts.yml, directly under the on: section, specifying contents: read. This will apply to both discordNotification and invokePrivate jobs. The invokePrivate job doesn’t use GITHUB_TOKEN at all (it uses secrets.SPACETIMEDB_PRIVATE_TOKEN), so it does not need additional permissions. No other functionality needs to change, and no imports or external libraries are required, since this is purely GitHub Actions YAML configuration.
Concretely:
- Edit
.github/workflows/discord-posts.yml. - After the
on: ...block (lines 3–5), insert:permissions: contents: read
- Leave the rest of the workflow unchanged. This explicitly limits the
GITHUB_TOKENto read-only access to repository contents and associated metadata, which is sufficient for runninggh pr checksand other read-only operations in this workflow.
Suggested changeset
1
.github/workflows/discord-posts.yml
| @@ -4,6 +4,9 @@ | ||
| pull_request: | ||
| types: [closed] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| discordNotification: | ||
| runs-on: ubuntu-latest |
Copilot is powered by AI and may make mistakes. Always verify output.
bfops
force-pushed
the
bfops/discord-post-on-merge
branch
from
57e390f to
303b411
Compare
# Description of Changes <!-- Please describe your change, mention any related tickets, and so on here. --> # API and ABI breaking changes <!-- If this is an API or ABI breaking change, please apply the corresponding GitHub label. --> # Expected complexity level and risk <!-- How complicated do you think these changes are? Grade on a scale from 1 to 5, where 1 is a trivial change, and 5 is a deep-reaching and complex change. This complexity rating applies not only to the complexity apparent in the diff, but also to its interactions with existing and future code. If you answered more than a 2, explain what is complex about the PR, and what other components it interacts with in potentially concerning ways. --> # Testing <!-- Describe any testing you've done, and any testing you'd like your reviewers to do, so that you're confident that all the changes work as expected! --> - [ ] <!-- maybe a test you want to do --> - [ ] <!-- maybe a test you want a reviewer to do, so they can check it off when they're satisfied. --> --------- Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
# Description of Changes <!-- Please describe your change, mention any related tickets, and so on here. --> # API and ABI breaking changes <!-- If this is an API or ABI breaking change, please apply the corresponding GitHub label. --> # Expected complexity level and risk <!-- How complicated do you think these changes are? Grade on a scale from 1 to 5, where 1 is a trivial change, and 5 is a deep-reaching and complex change. This complexity rating applies not only to the complexity apparent in the diff, but also to its interactions with existing and future code. If you answered more than a 2, explain what is complex about the PR, and what other components it interacts with in potentially concerning ways. --> # Testing <!-- Describe any testing you've done, and any testing you'd like your reviewers to do, so that you're confident that all the changes work as expected! --> - [ ] <!-- maybe a test you want to do --> - [ ] <!-- maybe a test you want a reviewer to do, so they can check it off when they're satisfied. --> --------- Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
# Description of Changes <!-- Please describe your change, mention any related tickets, and so on here. --> # API and ABI breaking changes <!-- If this is an API or ABI breaking change, please apply the corresponding GitHub label. --> # Expected complexity level and risk <!-- How complicated do you think these changes are? Grade on a scale from 1 to 5, where 1 is a trivial change, and 5 is a deep-reaching and complex change. This complexity rating applies not only to the complexity apparent in the diff, but also to its interactions with existing and future code. If you answered more than a 2, explain what is complex about the PR, and what other components it interacts with in potentially concerning ways. --> # Testing <!-- Describe any testing you've done, and any testing you'd like your reviewers to do, so that you're confident that all the changes work as expected! --> - [ ] <!-- maybe a test you want to do --> - [ ] <!-- maybe a test you want a reviewer to do, so they can check it off when they're satisfied. --> Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
# Description of Changes <!-- Please describe your change, mention any related tickets, and so on here. --> # API and ABI breaking changes <!-- If this is an API or ABI breaking change, please apply the corresponding GitHub label. --> # Expected complexity level and risk <!-- How complicated do you think these changes are? Grade on a scale from 1 to 5, where 1 is a trivial change, and 5 is a deep-reaching and complex change. This complexity rating applies not only to the complexity apparent in the diff, but also to its interactions with existing and future code. If you answered more than a 2, explain what is complex about the PR, and what other components it interacts with in potentially concerning ways. --> # Testing <!-- Describe any testing you've done, and any testing you'd like your reviewers to do, so that you're confident that all the changes work as expected! --> - [ ] <!-- maybe a test you want to do --> - [ ] <!-- maybe a test you want a reviewer to do, so they can check it off when they're satisfied. --> Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Changes
Call a new workflow on PR merges.
API and ABI breaking changes
None. CI-only.
Expected complexity level and risk
2
Testing
Ask @bfops about testing.