Skip to content

CI - Merge hooks#4224

Draft
bfops wants to merge 6 commits intomasterfrom
bfops/discord-post-on-merge
Draft

CI - Merge hooks#4224
bfops wants to merge 6 commits intomasterfrom
bfops/discord-post-on-merge

Conversation

@bfops
Copy link
Collaborator

@bfops bfops commented Feb 6, 2026

Description of Changes

API and ABI breaking changes

Expected complexity level and risk

Testing

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 6, 2026
View reviewed changes
bfops
bfops commented Feb 6, 2026
View reviewed changes
.github/workflows/discord-posts.yml
owner: 'clockworklabs',
repo: 'SpacetimeDBPrivate',
workflow_id: 'public-pr-merge.yml',
ref: 'bfops/smarter-internal-tests',
Copy link
Collaborator Author

@bfops bfops Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before merging:

Suggested change
ref: 'bfops/smarter-internal-tests',
ref: 'master',

bfops
bfops commented Feb 6, 2026
View reviewed changes
.github/workflows/discord-posts.yml

invokePrivate:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true
Copy link
Collaborator Author

@bfops bfops Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before merging:

Suggested change
if: github.event.pull_request.merged == true
if: github.event.pull_request.merged == true &&
github.event.pull_request.base.ref == 'master'

bfops and others added 2 commits February 6, 2026 13:49
@bfops
[bfops/discord-post-on-merge]: reduce
3284ae5
@bfops
Discord test PR (#4227)
303b411 
# Description of Changes

<!-- Please describe your change, mention any related tickets, and so on
here. -->

# API and ABI breaking changes

<!-- If this is an API or ABI breaking change, please apply the
corresponding GitHub label. -->

# Expected complexity level and risk

<!--
How complicated do you think these changes are? Grade on a scale from 1
to 5,
where 1 is a trivial change, and 5 is a deep-reaching and complex
change.

This complexity rating applies not only to the complexity apparent in
the diff,
but also to its interactions with existing and future code.

If you answered more than a 2, explain what is complex about the PR,
and what other components it interacts with in potentially concerning
ways. -->

# Testing

<!-- Describe any testing you've done, and any testing you'd like your
reviewers to do,
so that you're confident that all the changes work as expected! -->

- [ ] <!-- maybe a test you want to do -->
- [ ] <!-- maybe a test you want a reviewer to do, so they can check it
off when they're satisfied. -->

Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 6, 2026
View reviewed changes
.github/workflows/discord-posts.yml
Comment on lines +75 to +91
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true
steps:
- name: Dispatch private merge workflow
uses: actions/github-script@v7
with:
github-token: ${{ secrets.SPACETIMEDB_PRIVATE_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'clockworklabs',
repo: 'SpacetimeDBPrivate',
workflow_id: 'public-pr-merge.yml',
ref: 'bfops/smarter-internal-tests',
inputs: {
public_pr_number: String(context.payload.pull_request.number),
}
});

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 22 hours ago

In general, the fix is to add an explicit permissions: block either at the workflow root (to apply to all jobs) or per job, granting only the scopes the workflow needs. Since this workflow appears to only need read access to repository contents and PR metadata via GITHUB_TOKEN, it can safely use contents: read at the workflow level as a minimal baseline. If in the future a job requires additional permissions, they can be added on that specific job.

The single best change here is: add a workflow-level permissions: block near the top of .github/workflows/discord-posts.yml, directly under the on: section, specifying contents: read. This will apply to both discordNotification and invokePrivate jobs. The invokePrivate job doesn’t use GITHUB_TOKEN at all (it uses secrets.SPACETIMEDB_PRIVATE_TOKEN), so it does not need additional permissions. No other functionality needs to change, and no imports or external libraries are required, since this is purely GitHub Actions YAML configuration.

Concretely:

  • Edit .github/workflows/discord-posts.yml.
  • After the on: ... block (lines 3–5), insert: 
    permissions:
  contents: read
  • Leave the rest of the workflow unchanged. This explicitly limits the GITHUB_TOKEN to read-only access to repository contents and associated metadata, which is sufficient for running gh pr checks and other read-only operations in this workflow.
Suggested changeset 1
.github/workflows/discord-posts.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/discord-posts.yml b/.github/workflows/discord-posts.yml
--- a/.github/workflows/discord-posts.yml
+++ b/.github/workflows/discord-posts.yml
@@ -4,6 +4,9 @@
   pull_request:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   discordNotification:
     runs-on: ubuntu-latest
EOF
@@ -4,6 +4,9 @@
pull_request:
types: [closed]

permissions:
contents: read

jobs:
discordNotification:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bfops