Workflow permissions

[LesnyRumcajs]

Summary of changes

On top of #6838

Changes introduced in this pull request:

• added explicit permissions to tackle CodeQL warnings

Reference issue to close (if applicable)

Closes #5873

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

• Chores
  • Added explicit GitHub Actions workflow permissions across the build system for improved security posture
  • Removed non-essential diagnostic steps from build workflows
  • Optimized Docker builds with improved conditional logic for release versus development environments
  • Added caching for test artifacts to improve workflow performance

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6cecda3d-4e79-4cf9-a896-6cbcf0d5d885

📥 Commits

Reviewing files that changed from the base of the PR and between 111d22d and 16f1dee.

📒 Files selected for processing (2)

• .github/workflows/cargo-publish-dry-run.yml
• .github/workflows/coverage.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/coverage.yml
• .github/workflows/cargo-publish-dry-run.yml

---

Walkthrough

This PR adds explicit GitHub Actions permissions blocks (enforcing least-privilege access) to 26+ workflow files, setting contents: read, packages: write, issues: write, and pull-requests: write scopes as required. Additionally, diagnostic commands are removed and artifact handling is simplified in select workflows.

Changes

Cohort / File(s)	Summary
Basic Permission Hardening .github/workflows/butterflynet.yml, cargo-advisories.yml, checkpoints.yml, coverage.yml, docs-auto-update.yml, docs-check.yml, docs-required-override.yml, docs-rpc-auto-update.yml, link-check.yml, lists-lint.yml, lotus-api-bump.yml, python-lint.yml, rubocop.yml, rust-lint.yml, shellcheck.yml, yaml-lint.yml	Added workflow-level permissions: contents: read block to enforce least-privilege token scope.
Permission Hardening with Issue Write Access cargo-publish-dry-run.yml, dockerfile-check.yml, rpc-parity.yml, snapshot-parity.yml	Added workflow-level permissions blocks with contents: read and issues: write to enable failure notification steps.
Permission Hardening with Package Write Access curio-devnet-publish.yml, docker-dev.yml, docker-latest-tag.yml, lotus-devnet-publish.yml	Added workflow-level permissions blocks with contents: read and packages: write to support Docker image publishing.
RPC Parity Report Permissions rpc-parity-report.yml	Added workflow-level permissions with contents: write, issues: write, and pull-requests: write to enable comprehensive reporting and PR creation.
Release Job Permissions release.yml, release_dispatch.yml	Added job-level permissions blocks: build job gets contents: write for release artifacts; publish job gets contents: read for package operations.
This Month Reminder Workflow this-month-in-forest-reminder.yml	Added workflow-level permissions with contents: read and issues: write to support scheduled issue creation.
Docker Workflow Complex Changes docker.yml	Added workflow-level permissions (contents: read, packages: write); removed diagnostic commands (lscpu, IP lookup via curl); changed AMD64 build from always release to release on main/version tags or quick otherwise; added conditional guards (if: expressions) to slim image publishing steps.
Forest Workflow Cleanup forest.yml	Added workflow-level permissions (contents: read, issues: write); removed diagnostic steps in build job; deleted dedicated cargo-publish-dry-run job; removed redundant actions/download-artifact steps in Calibnet-related jobs; updated integration-tests-status job dependencies.
Unit Tests with Caching unit-tests.yml	Added workflow-level permissions: contents: read; removed public IP lookup step; added two new actions/cache@v5 steps to cache Filecoin proof parameters and actor bundle artifacts with static cache keys.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: random CI improvements #6838 — Modifies multiple overlapping workflow files including cargo-publish-dry-run.yml and others affected by this PR's permission changes.
• chore: run certain integration tests only on schedule/release/dispatch #6218 — Both PRs modify .github/workflows/forest.yml with overlapping changes to integration-test job dependencies and cargo-publish-dry-run job handling.
• fix(test): speed up test-release and codecov on CI #6372 — Both PRs modify .github/workflows/unit-tests.yml and .github/workflows/coverage.yml with overlapping proof parameter caching and CI behavior changes.

Suggested reviewers

• hanabi1224
• akaladarshi

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The docker.yml and forest.yml workflows include removal of diagnostic steps and cargo-publish-dry-run job beyond permission additions, introducing additional scope changes.	Remove non-permission-related changes (diagnostics removal, cargo-publish-dry-run deletion, redundant artifact download removal) or justify them as part of the workflow hardening objective.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Workflow permissions' is generic but directly relates to the main change: adding permission blocks to GitHub Actions workflows.
Linked Issues check	✅ Passed	The pull request comprehensively adds permission blocks to all workflow files following the least-privilege principle, matching issue #5873 requirements to harden GitHub token scopes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch workflow-permissions

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch workflow-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.84%. Comparing base (d8c8417) to head (cd4c127).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

see 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d8c8417...cd4c127. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.github/workflows/unit-tests.yml (1)

73-82: Consider versioning cache keys only when snapshot generation logic changes.

The static cache keys proof-params-keys and actor-bundle (lines 77, 82) are currently reused across all runs without restore-keys fallback. While this could theoretically cause stale data issues if upstream snapshots rotate, the team has explicitly decided to defer cache key versioning until it becomes necessary. Per the caching strategy established in PR #5978, a version string can be added to the cache key (e.g., ${{ env.TEST_DATA_CACHE_VERSION }}) if and when the snapshot generation logic changes. No immediate action needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/unit-tests.yml around lines 73 - 82, The workflow uses
static cache keys for the actions with ids cache-proof-params and
cache-actor-bundle (keys "proof-params-keys" and "actor-bundle"); update the key
values to include a version token (for example by appending `${{
env.TEST_DATA_CACHE_VERSION }}`) whenever snapshot generation logic changes so
caches are invalidated only when needed—modify the key fields for the
cache-proof-params and cache-actor-bundle steps to include the version env var
when you bump snapshot logic.

.github/workflows/forest.yml (1)

2-4: Scope issues: write to extra_tests instead of the whole workflow.

Only extra_tests creates issues, but Lines 2-4 give issue-mutation rights to every build and integration job in this workflow. That is broader than needed for the hardening pass. If you move the write scope down, keep contents: read on extra_tests too, since job-level permissions override the root set and that job consumes a repo-hosted issue template.

Suggested permission narrowing

 permissions:
   contents: read
-  issues: write
 
   extra_tests:
+    permissions:
+      contents: read
+      issues: write
     if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'Release')) }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/forest.yml around lines 2 - 4, The workflow currently
grants issues: write at the top-level which is too broad; remove the top-level
issues: write and instead add issues: write to the job permissions for the
extra_tests job (keep contents: read at root and also include contents: read in
the extra_tests job permissions) so only extra_tests has issue-mutation rights;
update the permissions block in the job named extra_tests accordingly.

.github/workflows/docker-latest-tag.yml (1)

4-6: contents: read looks unused in this workflow.

This job only authenticates to GHCR and retags existing images; it never checks out the repository or reads repository files. Dropping contents: read would make this workflow fully least-privilege.

Suggested cleanup

 permissions:
-  contents: read
   packages: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-latest-tag.yml around lines 4 - 6, The workflow
permissions include an unused "contents: read" scope; remove that line so the
permissions block only grants the minimal "packages: write" scope. Update the
permissions map (the "permissions" YAML and the keys "contents" and "packages")
to drop "contents: read" and keep "packages: write", and verify no steps
reference repository contents or require checkout before committing the change.

.github/workflows/docker.yml (1)

2-4: Scope packages: write to build-and-push-docker-image only.

Lines 2-4 currently give registry write access to build-ubuntu-amd64 and build-ubuntu-arm64 too, even though only the publish job logs into GHCR and pushes images. That weakens the least-privilege hardening this PR is aiming for. If you move it down to the job, keep contents: read there as well, since job-level permissions replace the workflow-level set.

Suggested permission narrowing

 permissions:
   contents: read
-  packages: write
 
 jobs:
   build-and-push-docker-image:
+    permissions:
+      contents: read
+      packages: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker.yml around lines 2 - 4, The workflow-level
permissions currently grant packages: write broadly; remove packages: write from
the top-level permissions (leave contents: read there) and add a job-level
permissions block under the build-and-push-docker-image job that sets packages:
write and contents: read so only that job can push to GHCR; reference the
top-level permissions keys (permissions: contents/packages) and the job name
build-and-push-docker-image when making the change, leaving other jobs like
build-ubuntu-amd64 and build-ubuntu-arm64 unaffected.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cargo-publish-dry-run.yml:
- Around line 39-50: Update the failing-run guards so issues are only created
for main branch failures: change the two steps named "Set WORKFLOW_URL" and the
"JasonEtco/create-an-issue@v2" step to use the combined condition github.ref ==
'refs/heads/main' && failure() instead of just failure(), ensuring both the
WORKFLOW_URL export and the issue-creation action only run for failed runs on
refs/heads/main.

In @.github/workflows/release_dispatch.yml:
- Around line 3-4: The workflow currently sets a workflow-level "permissions:
contents: write" which is overly broad; change to least-privilege by removing or
changing the global "contents: write" and instead set job-level permissions:
grant "contents: write" only on the build job (the job that uploads release
artifacts) and ensure the publish job uses "contents: read" (or the minimal
needed permission) while keeping the build and publish job names ("build",
"publish") intact so you update the correct job blocks.

---

Nitpick comments:
In @.github/workflows/docker-latest-tag.yml:
- Around line 4-6: The workflow permissions include an unused "contents: read"
scope; remove that line so the permissions block only grants the minimal
"packages: write" scope. Update the permissions map (the "permissions" YAML and
the keys "contents" and "packages") to drop "contents: read" and keep "packages:
write", and verify no steps reference repository contents or require checkout
before committing the change.

In @.github/workflows/docker.yml:
- Around line 2-4: The workflow-level permissions currently grant packages:
write broadly; remove packages: write from the top-level permissions (leave
contents: read there) and add a job-level permissions block under the
build-and-push-docker-image job that sets packages: write and contents: read so
only that job can push to GHCR; reference the top-level permissions keys
(permissions: contents/packages) and the job name build-and-push-docker-image
when making the change, leaving other jobs like build-ubuntu-amd64 and
build-ubuntu-arm64 unaffected.

In @.github/workflows/forest.yml:
- Around line 2-4: The workflow currently grants issues: write at the top-level
which is too broad; remove the top-level issues: write and instead add issues:
write to the job permissions for the extra_tests job (keep contents: read at
root and also include contents: read in the extra_tests job permissions) so only
extra_tests has issue-mutation rights; update the permissions block in the job
named extra_tests accordingly.

In @.github/workflows/unit-tests.yml:
- Around line 73-82: The workflow uses static cache keys for the actions with
ids cache-proof-params and cache-actor-bundle (keys "proof-params-keys" and
"actor-bundle"); update the key values to include a version token (for example
by appending `${{ env.TEST_DATA_CACHE_VERSION }}`) whenever snapshot generation
logic changes so caches are invalidated only when needed—modify the key fields
for the cache-proof-params and cache-actor-bundle steps to include the version
env var when you bump snapshot logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 53d39938-e9b8-4cdc-b9a1-d7f4ab17156b

📥 Commits

Reviewing files that changed from the base of the PR and between 1494a35 and 24b2c20.

📒 Files selected for processing (33)

• .github/CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md
• .github/workflows/butterflynet.yml
• .github/workflows/cargo-advisories.yml
• .github/workflows/cargo-publish-dry-run.yml
• .github/workflows/checkpoints.yml
• .github/workflows/coverage.yml
• .github/workflows/curio-devnet-publish.yml
• .github/workflows/docker-dev.yml
• .github/workflows/docker-latest-tag.yml
• .github/workflows/docker-lint.yml
• .github/workflows/docker.yml
• .github/workflows/dockerfile-check.yml
• .github/workflows/docs-auto-update.yml
• .github/workflows/docs-check.yml
• .github/workflows/docs-required-override.yml
• .github/workflows/docs-rpc-auto-update.yml
• .github/workflows/forest.yml
• .github/workflows/link-check.yml
• .github/workflows/lists-lint.yml
• .github/workflows/lotus-api-bump.yml
• .github/workflows/lotus-devnet-publish.yml
• .github/workflows/python-lint.yml
• .github/workflows/release.yml
• .github/workflows/release_dispatch.yml
• .github/workflows/rpc-parity-report.yml
• .github/workflows/rpc-parity.yml
• .github/workflows/rubocop.yml
• .github/workflows/rust-lint.yml
• .github/workflows/shellcheck.yml
• .github/workflows/snapshot-parity.yml
• .github/workflows/this-month-in-forest-reminder.yml
• .github/workflows/unit-tests.yml
• .github/workflows/yaml-lint.yml