Skip to content

docs(bootstrap): Actions-hardening interactions (startup_failure, auto-approve)#92

Merged
CybotTM merged 1 commit into
mainfrom
docs/hardening-interactions
Jun 23, 2026
Merged

docs(bootstrap): Actions-hardening interactions (startup_failure, auto-approve)#92
CybotTM merged 1 commit into
mainfrom
docs/hardening-interactions

Conversation

@CybotTM

@CybotTM CybotTM commented Jun 23, 2026

Copy link
Copy Markdown
Member

Two hardening interactions that cause real failures, observed bootstrapping netresearch/jujutsu-workflow-skill, added to repo-bootstrap.md right where the hardening commands live:

  1. Read-only default token + reusable-workflow callers — a caller job that omits its own permissions: inherits read-only and startup_failures (no logs) when the reusable requires a permission it wasn't granted. Fix: explicit per-job permissions: (e.g. contents: read + security-events: write for the security reusables).
  2. can_approve_pull_request_reviews=false disables auto-approve — it silently breaks pr-quality auto-approve and dependabot auto-merge (PRs stick on REVIEW_REQUIRED). Keep can_approve=true when those are used; least-privilege is already carried by default_workflow_permissions=read.

Source: /retro on the jujutsu-workflow-skill build session.

Copilot AI review requested due to automatic review settings June 23, 2026 10:59
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions Bot added documentation Improvements or additions to documentation skill labels Jun 23, 2026
@CybotTM CybotTM force-pushed the docs/hardening-interactions branch from 7990282 to 566907c Compare June 23, 2026 11:00

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the repo-bootstrap.md documentation to add two detailed interaction notes regarding GitHub repository workflow settings: one explaining startup failures when using read-only tokens with reusable workflows, and another explaining how disabling workflow-based PR approvals affects auto-approve and dependabot auto-merge configurations. The reviewer suggested using the full parameter name can_approve_pull_request_reviews instead of the shorthand can_approve in the documentation to maintain consistency and accuracy.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread skills/github-project/references/repo-bootstrap.md Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

After hardening the default token to read-only, document two traps observed in
the field (netresearch/jujutsu-workflow-skill bootstrap):

- read-only default + reusable-workflow caller jobs without an explicit
  permissions block -> startup_failure (no logs). Grant per-job permissions.
- can_approve_pull_request_reviews=false silently disables pr-quality
  auto-approve and dependabot auto-merge -> PRs stick on REVIEW_REQUIRED.
  Keep can_approve=true when those are used.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@CybotTM CybotTM force-pushed the docs/hardening-interactions branch from 566907c to d41b319 Compare June 23, 2026 15:40
@CybotTM CybotTM merged commit ac8b19e into main Jun 23, 2026
18 checks passed
@CybotTM CybotTM deleted the docs/hardening-interactions branch June 23, 2026 15:42
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation skill

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants