fix(pii-gate): run under restrictive default token perms (contents-scoped Compare API)#63
Merged
Merged
Conversation
…l-requests perm (#62)
Contributor
|
👋 Heads-up — Code review queue is at 32 / 30 Above the WIP limit. The team convention is to review existing PRs before opening new work. Open PRs currently in Code review (oldest first):
Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.) |
Contributor
Author
|
Verified green on a test PR in tracebloc/cli with an unmodified minimal caller (run 27748465192) — jobs run, no startup failure; before the fix the same minimal caller @main gave 0-job startup failures. Needs one approving review from a non-author (org ruleset on |
shujaatTracebloc
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After publishing `public-pii-gate.yml` to main (#60), the Public PII gate still failed at startup with 0 jobs on every PR in adopting repos (cli, data-ingestors).
Root cause: the reusable workflow declared `permissions: { contents: read, pull-requests: read }`, but those repos' default workflow token permission is "read" (grants `contents`/`packages` read; `pull-requests: none`). A minimal caller (`uses:` + `secrets: inherit`, no `permissions:` block) therefore cannot grant `pull-requests`, so the called workflow's request exceeds the caller's ceiling → startup failure, no jobs.
Fix
Make the reusable workflow self-sufficient under the restrictive default so callers stay trivial (no per-repo `permissions:` block, no recurring footgun):
Title/body/labels already come from the event payload (no API). Full scan coverage (title + body + commit messages) is preserved.
Verification
On a test PR in tracebloc/cli with an unmodified minimal caller pointed at this branch, the gate ran green (jobs executed, no startup failure) — run 27748465192. Before the fix, identical minimal callers @main produced 0-job startup failures.
Tracking: #62
Note
Low Risk
CI-only permission and API change for PR text scanning; same haystack sources with a documented 250-commit Compare API cap.
Overview
Fixes reusable Public PII gate workflows that failed at startup with 0 jobs when called from repos whose default
GITHUB_TOKENonly grantscontents: read(nopull-requests).The workflow now requests
permissions: contents: readonly (dropspull-requests: read) and loads commit messages via the Compare API (repos/.../compare/{base}...{head}) usingPR_BASE_SHA/PR_HEAD_SHAfrom the event, instead ofgh pr view --json commits. PR title, body, and labels still come from the payload; scan coverage is unchanged.Header comments document why
pull-requestsmust not be requested and the 250-commit Compare API limit.Reviewed by Cursor Bugbot for commit 5fad0d9. Bugbot is set up for automated code reviews on this repo. Configure here.