docs(bootstrap): Actions-hardening interactions (startup_failure, auto-approve)#92
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
7990282 to
566907c
Compare
There was a problem hiding this comment.
Code Review
This pull request updates the repo-bootstrap.md documentation to add two detailed interaction notes regarding GitHub repository workflow settings: one explaining startup failures when using read-only tokens with reusable workflows, and another explaining how disabling workflow-based PR approvals affects auto-approve and dependabot auto-merge configurations. The reviewer suggested using the full parameter name can_approve_pull_request_reviews instead of the shorthand can_approve in the documentation to maintain consistency and accuracy.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
After hardening the default token to read-only, document two traps observed in the field (netresearch/jujutsu-workflow-skill bootstrap): - read-only default + reusable-workflow caller jobs without an explicit permissions block -> startup_failure (no logs). Grant per-job permissions. - can_approve_pull_request_reviews=false silently disables pr-quality auto-approve and dependabot auto-merge -> PRs stick on REVIEW_REQUIRED. Keep can_approve=true when those are used. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
566907c to
d41b319
Compare
|



Two hardening interactions that cause real failures, observed bootstrapping netresearch/jujutsu-workflow-skill, added to
repo-bootstrap.mdright where the hardening commands live:permissions:inherits read-only andstartup_failures (no logs) when the reusable requires a permission it wasn't granted. Fix: explicit per-jobpermissions:(e.g.contents: read+security-events: writefor the security reusables).can_approve_pull_request_reviews=falsedisables auto-approve — it silently breakspr-qualityauto-approve and dependabot auto-merge (PRs stick onREVIEW_REQUIRED). Keepcan_approve=truewhen those are used; least-privilege is already carried bydefault_workflow_permissions=read.Source: /retro on the jujutsu-workflow-skill build session.