Skip to content

fix: add explicit empty permissions to docs-broken-links workflow#1131

Merged
msukkari merged 5 commits intomainfrom
cursor/fix-workflow-permissions-e99b
Apr 18, 2026
Merged

fix: add explicit empty permissions to docs-broken-links workflow#1131
msukkari merged 5 commits intomainfrom
cursor/fix-workflow-permissions-e99b

Conversation

@msukkari
Copy link
Copy Markdown
Contributor

@msukkari msukkari commented Apr 18, 2026
edited by coderabbitai bot
Loading

Summary

This PR addresses CodeQL security alert #1 (actions/missing-workflow-permissions) by adding explicit permissions: {} to the docs-broken-links.yml workflow.

Problem

The workflow runs a broken-link check job using Mintlify without declaring explicit GitHub token permissions. Without explicit permissions, the job inherits default token permissions (potentially contents: write or pull-requests: write depending on repo settings).

Since this workflow:

  • Checks out the repository
  • Installs the Mintlify CLI via npm
  • Runs mintlify broken-links in the docs directory

None of these steps require any GitHub token access, yet the ambient GITHUB_TOKEN could be exploited if the Mintlify package were compromised.

Solution

Add permissions: {} at the workflow level to explicitly deny all GitHub token permissions, following the principle of least privilege.

References

Fixes #932

Linear Issue: SOU-932

Open in Web Open in Cursor 

Summary by CodeRabbit

  • Bug Fixes

    • Corrected the documentation workflow's permissions to enforce least-privilege and prevent unintended token access.

  • Documentation

    • Added a changelog entry noting the workflow permissions fix.

@cursoragent @msukkari
fix: add explicit empty permissions to docs-broken-links workflow
0040710 
This addresses CodeQL alert #1 (actions/missing-workflow-permissions).
The workflow checks for broken links in docs using Mintlify CLI and
doesn't require any GitHub token access. Adding permissions: {} ensures
the workflow runs with minimal privileges, reducing supply-chain risk.

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
@github-actions

This comment has been minimized.

Sign in to view
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 18, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 00a4ea7a-a82b-41af-a5e9-e4d224afce04

📥 Commits

Reviewing files that changed from the base of the PR and between b1aad96 and 1401a1c.

📒 Files selected for processing (1)
  • CHANGELOG.md
✅ Files skipped from review due to trivial changes (1)
  • CHANGELOG.md

Walkthrough

This PR adds an explicit workflow-level permissions: {} block to .github/workflows/docs-broken-links.yml and records the change in CHANGELOG.md. No other workflow behavior, triggers, or job steps were modified.

Changes

Cohort / File(s) Summary
GitHub Actions Configuration
​.github/workflows/docs-broken-links.yml		 Added a top-level permissions: {} block to explicitly set no GitHub token permissions for the workflow.
Changelog
CHANGELOG.md		 Added an Unreleased → Fixed entry documenting the addition of explicit workflow permissions to docs-broken-links.yml.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • brendan-kellam
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR addresses security (adding workflow permissions) but linked issue #932 requires preserving angle-bracketed text in chat. No code changes related to #932 are present in this PR. Either relink to the correct issue (#1131 or similar security-focused issue) or include code changes that address the angle-bracketed text preservation in chat as described in #932.
Out of Scope Changes check ⚠️ Warning All changes are in-scope for adding workflow permissions: .github/workflows/docs-broken-links.yml and CHANGELOG.md updates. However, the security fix appears unrelated to the linked issue #932 about chat rendering. The workflow permissions fix is out-of-scope relative to linked issue #932. Update the issue links to reference the actual security issue this PR addresses.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately describes the main change: adding explicit empty permissions to the docs-broken-links workflow to address security concerns.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/fix-workflow-permissions-e99b

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cursoragent @msukkari
chore: add CHANGELOG entry for workflow permissions fix
b1aad96 
Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
@msukkari msukkari enabled auto-merge (squash) April 18, 2026 02:31
@msukkari msukkari disabled auto-merge April 18, 2026 03:29
@msukkari msukkari merged commit da92ca1 into main Apr 18, 2026
8 checks passed
@github-actions github-actions bot mentioned this pull request Apr 18, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msukkari @cursoragent