From 4a9d83b102b225b0ce033057e91f78a2fc207ab8 Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Wed, 18 Feb 2026 19:01:56 +0000 Subject: [PATCH] add webhook identity context to alerts and typed workflow permissions Include actor/account github identity details in installation and repo lifecycle alerting, add shared identity helpers, and tighten CI workflow permission typing for safer validation. Co-authored-by: Cursor --- external.ts | 22 ++++++++++++++++++++++ test/ci.test.ts | 4 ++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/external.ts b/external.ts index 105f45b..210effd 100644 --- a/external.ts +++ b/external.ts @@ -61,6 +61,28 @@ export type ToolPermission = "disabled" | "enabled"; export type BashPermission = "disabled" | "restricted" | "enabled"; export type PushPermission = "disabled" | "restricted" | "enabled"; +// workflow yml permissions for GITHUB_TOKEN +export type WorkflowPermissionValue = "read" | "write" | "none"; +export type WorkflowIdTokenPermissionValue = "write" | "none"; + +export interface WorkflowPermissions { + actions?: WorkflowPermissionValue; + attestations?: WorkflowPermissionValue; + checks?: WorkflowPermissionValue; + contents?: WorkflowPermissionValue; + deployments?: WorkflowPermissionValue; + discussions?: WorkflowPermissionValue; + "id-token"?: WorkflowIdTokenPermissionValue; + issues?: WorkflowPermissionValue; + models?: WorkflowPermissionValue; + packages?: WorkflowPermissionValue; + pages?: WorkflowPermissionValue; + "pull-requests"?: WorkflowPermissionValue; + "repository-projects"?: WorkflowPermissionValue; + "security-events"?: WorkflowPermissionValue; + statuses?: WorkflowPermissionValue; +} + // permission level for the author who triggered the event // matches GitHub's permission levels: admin > write > maintain > triage > read > none export type AuthorPermission = "admin" | "maintain" | "write" | "triage" | "read" | "none"; diff --git a/test/ci.test.ts b/test/ci.test.ts index 3bb8509..40c77c8 100644 --- a/test/ci.test.ts +++ b/test/ci.test.ts @@ -4,7 +4,7 @@ import { dirname, join } from "node:path"; import { fileURLToPath } from "node:url"; import { describe, expect, it } from "vitest"; import { parse } from "yaml"; -import { agentsManifest } from "../external.ts"; +import { agentsManifest, type WorkflowPermissions } from "../external.ts"; const __dirname = dirname(fileURLToPath(import.meta.url)); const actionDir = join(__dirname, ".."); @@ -13,7 +13,7 @@ const rootDir = join(actionDir, ".."); type WorkflowJob = { "runs-on": string; "timeout-minutes"?: number; - permissions?: Record; + permissions?: WorkflowPermissions; strategy?: { "fail-fast": boolean; matrix: Record }; env?: Record; steps?: unknown[];