ci: least-privilege top-level permissions on dependabot-automerge#7
Conversation
|
Warning Review limit reached
More reviews will be available in 5 minutes and 41 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
Adds an empty top-level permissions: {} to the Dependabot auto-merge workflow to enforce least-privilege defaults, while the job retains its explicit elevated scopes.
Changes:
- Introduce top-level
permissions: {}in the Dependabot auto-merge workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Adds a top-level
permissions: {}to the Dependabot auto-merge workflow so the default token grant for the workflow is empty; the single job keeps its explicitcontents: write/pull-requests: write. Addresses the CodeRabbit least-privilege nitpick and keeps the workflow identical across all hardened repos.