Add sermver-checks.yml #569
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| run: cargo install cargo-semver-checks | ||
|
|
||
| - name: Run semver checks | ||
| run: cargo semver-checks |
There was a problem hiding this comment.
reported by reviewdog 🐶
[opengrep] GitHub Actions workflow is missing permissions declaration at the top-level or job-level.
Without explicit permissions, workflows may have excessive default permissions, violating the principle of least privilege.
According to GitHub's security best practices, you should explicitly define permissions to limit the scope of access tokens.
Valid permission scopes include: actions, attestations, checks, contents, deployments, discussions, id-token, issues, models, packages, pages, pull-requests, security-events, statuses
👍 Good examples:
Top-level: permissions: { contents: read, pull-requests: write }
Job-level: jobs: build: permissions: { contents: read }
Restrict all: permissions: {}
👎 Bad:
No permissions defined in the workflow
GitHub Security Hardening Guide
Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/services/github-workflow-missing-permissions.yaml
Cc @thypon @kdenhartog
There was a problem hiding this comment.
Rust Benchmark
| Benchmark suite | Current: 16f19ae | Previous: 1e93800 | Ratio |
|---|---|---|---|
rule-match-browserlike/brave-list |
2033304275 ns/iter (± 9172744) |
2051836000 ns/iter (± 9414636) |
0.99 |
rule-match-first-request/brave-list |
1099376 ns/iter (± 7119) |
1112038 ns/iter (± 6293) |
0.99 |
blocker_new/brave-list |
148112615 ns/iter (± 742052) |
143433250 ns/iter (± 539931) |
1.03 |
blocker_new/brave-list-deserialize |
24510204 ns/iter (± 345803) |
23670075 ns/iter (± 229117) |
1.04 |
memory-usage/brave-list-initial |
10213344 ns/iter (± 3) |
10213344 ns/iter (± 3) |
1 |
memory-usage/brave-list-initial/max |
60612235 ns/iter (± 3) |
60612235 ns/iter (± 3) |
1 |
memory-usage/brave-list-initial/alloc-count |
1231711 ns/iter (± 3) |
1231711 ns/iter (± 3) |
1 |
memory-usage/brave-list-1000-requests |
2692712 ns/iter (± 3) |
2692712 ns/iter (± 3) |
1 |
memory-usage/brave-list-1000-requests/alloc-count |
71591 ns/iter (± 3) |
71607 ns/iter (± 3) |
1.00 |
url_cosmetic_resources/brave-list |
210098 ns/iter (± 612) |
191829 ns/iter (± 505) |
1.10 |
cosmetic-class-id-match/brave-list |
3405081 ns/iter (± 945084) |
3415862 ns/iter (± 942750) |
1.00 |
This comment was automatically generated by workflow using github-action-benchmark.
|
@atuchin-m I've opened a new pull request, #570, to work on those changes. Once the pull request is ready, I'll request review from you. |
* Add permissions declaration to semver-checks workflow Co-authored-by: atuchin-m <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: atuchin-m <[email protected]>
antonok-edm
left a comment
antonok-edm
left a comment
There was a problem hiding this comment.
the author of cargo-semver-checks is also the author of cargo-semver-checks-action, does it make more sense to use that directly?
No description provided.