Skip to content

Add security policy#20

Merged
tarmojussila merged 1 commit intomainfrom
feature/security-policy
Mar 3, 2026
Merged

Add security policy#20
tarmojussila merged 1 commit intomainfrom
feature/security-policy

Conversation

@tarmojussila
Copy link
Owner

@tarmojussila tarmojussila commented Mar 3, 2026

This pull request introduces several documentation updates and security improvements. The most notable change is the addition of a comprehensive SECURITY.md file, which outlines the project's security policies and best practices. Other changes include minor updates to contribution guidelines and workflow permissions.

Security improvements:

  • Added a new SECURITY.md file detailing supported versions, vulnerability reporting procedures, API key handling, required workflow permissions, and recommendations for pinning the action to a specific release for supply chain security.

Workflow permissions:

  • Removed unnecessary contents: read permission from both .github/workflows/code-review.yml and the example in README.md, clarifying that only pull-requests: write is needed for the action.

@github-actions
Copy link

github-actions bot commented Mar 3, 2026

🤖 Z.ai Review Agent

Critical: Removal of contents: read breaks functionality

In both .github/workflows/code-review.yml and README.md, you removed the contents: read permission.

  • Issue: GitHub Actions workflows almost always require contents: read to use the standard actions/checkout step or to fetch file contents via the API. Without this permission, the workflow will fail with a "Resource not accessible by integration" error.
  • Action: Restore contents: read in the permissions block.

Incorrect Documentation in SECURITY.md

The "Action Permissions" section in the new SECURITY.md lists only pull-requests: write as the minimum requirement.

  • Issue: As noted above, contents: read is also required to access the repository code for the review to take place. Providing an example that strictly limits permissions to pull-requests: write will mislead users and result in broken workflows.
  • Action: Update the SECURITY.md example to include contents: read: 
    permissions:
  contents: read
  pull-requests: write

@tarmojussila
Copy link
Owner Author

tarmojussila commented Mar 3, 2026

🤖 Z.ai Review Agent

Critical: Removal of contents: read breaks functionality

In both .github/workflows/code-review.yml and README.md, you removed the contents: read permission.

  • Issue: GitHub Actions workflows almost always require contents: read to use the standard actions/checkout step or to fetch file contents via the API. Without this permission, the workflow will fail with a "Resource not accessible by integration" error.
  • Action: Restore contents: read in the permissions block.

Incorrect Documentation in SECURITY.md

The "Action Permissions" section in the new SECURITY.md lists only pull-requests: write as the minimum requirement.

  • Issue: As noted above, contents: read is also required to access the repository code for the review to take place. Providing an example that strictly limits permissions to pull-requests: write will mislead users and result in broken workflows.
  • Action: Update the SECURITY.md example to include contents: read: 
    permissions:
  contents: read
  pull-requests: write

This is actually incorrect. contents: read is not required for this workflow to work. All is good ✅

@tarmojussila tarmojussila merged commit 66f987e into main Mar 3, 2026
4 checks passed
@tarmojussila tarmojussila deleted the feature/security-policy branch March 3, 2026 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tarmojussila