From 27a99b80681bf181fd130de9df2aa8fe9053c9f2 Mon Sep 17 00:00:00 2001 From: Copilot Date: Fri, 27 Feb 2026 19:02:21 +0000 Subject: [PATCH 1/2] refactor: simplify id-token permission handling with switch statement Replace chained if/else with repeated nil-pointer dereferences with a clean switch statement. Dereference IDToken once into a local variable, then use a switch to separate the three distinct cases: explicitly disabled ("none"), explicitly enabled ("write"), or auto-detected. This follows the project convention of preferring switch statements over chained if/else for multi-case logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- pkg/workflow/safe_outputs_permissions.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/pkg/workflow/safe_outputs_permissions.go b/pkg/workflow/safe_outputs_permissions.go index fa965e53d8..fc6e4e9ad6 100644 --- a/pkg/workflow/safe_outputs_permissions.go +++ b/pkg/workflow/safe_outputs_permissions.go @@ -205,14 +205,21 @@ func ComputePermissionsForSafeOutputs(safeOutputs *SafeOutputsConfig) *Permissio // Handle id-token permission for OIDC/secret vault actions in user-provided steps. // Explicit "none" disables auto-detection; explicit "write" always adds it; // otherwise auto-detect from the steps list. - if safeOutputs.IDToken != nil && *safeOutputs.IDToken == "none" { + idToken := "" + if safeOutputs.IDToken != nil { + idToken = *safeOutputs.IDToken + } + switch idToken { + case "none": safeOutputsPermissionsLog.Print("id-token permission explicitly disabled (none)") - } else if safeOutputs.IDToken != nil && *safeOutputs.IDToken == "write" { + case "write": safeOutputsPermissionsLog.Print("id-token: write explicitly requested") permissions.Set(PermissionIdToken, PermissionWrite) - } else if stepsRequireIDToken(safeOutputs.Steps) { - safeOutputsPermissionsLog.Print("Auto-detected OIDC/vault action in steps; adding id-token: write") - permissions.Set(PermissionIdToken, PermissionWrite) + default: + if stepsRequireIDToken(safeOutputs.Steps) { + safeOutputsPermissionsLog.Print("Auto-detected OIDC/vault action in steps; adding id-token: write") + permissions.Set(PermissionIdToken, PermissionWrite) + } } safeOutputsPermissionsLog.Printf("Computed permissions with %d scopes", len(permissions.permissions)) From 9080ee84aef2635736dd1eced995eebcd835f2f8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 27 Feb 2026 19:04:02 +0000 Subject: [PATCH 2/2] ci: trigger CI checks