Skip to content

fix: auto-inject contents:read when ci.permissions is set#142

Merged
jdutton merged 1 commit intomainfrom
fix/auto-contents-read
Mar 14, 2026
Merged

fix: auto-inject contents:read when ci.permissions is set#142
jdutton merged 1 commit intomainfrom
fix/auto-contents-read

Conversation

@jdutton
Copy link
Owner

@jdutton jdutton commented Mar 14, 2026

Summary

  • Auto-inject contents: read into job-level permissions whenever ci.permissions is configured
  • User-specified contents values (e.g., contents: write) take precedence
  • Bump to 0.19.1-rc.3

Why

Follow-up to PR #141 (job-level permissions). Job-level permissions in GitHub Actions replace all defaults — unlike workflow-level permissions which narrow them. This means actions/checkout fails with "repository not found" on private repos unless contents: read is explicitly listed.

Rather than requiring every consumer to remember this, vibe-validate now handles it automatically.

Test plan

  • All 70 generate-workflow tests pass (2 new: auto-inject test + precedence test)
  • vv validate passes (Pre-Qualification + Testing)
  • Verified: config with only packages: read produces { contents: read, packages: read } in YAML
  • Verified: config with contents: write preserves write (not overridden)

🤖 Generated with Claude Code

@jdutton @claude
fix: auto-inject contents:read when ci.permissions is set
1fddfff 
Job-level permissions replace all GitHub Actions defaults, so
actions/checkout fails with "repository not found" unless contents:read
is explicitly listed. Now auto-injected as a baseline whenever
ci.permissions is configured. User-specified contents values (e.g.
contents:write) take precedence.

Bump to 0.19.1-rc.3.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 14, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jdutton jdutton merged commit 1a131fd into main Mar 14, 2026
10 of 12 checks passed
@jdutton jdutton deleted the fix/auto-contents-read branch March 14, 2026 20:43
@codecov
Copy link

codecov bot commented Mar 14, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.81%. Comparing base (7683a37) to head (1fddfff).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #142   +/-   ##
=======================================
  Coverage   85.81%   85.81%           
=======================================
  Files         115      115           
  Lines       14997    14997           
  Branches     3242     3242           
=======================================
  Hits        12870    12870           
  Misses       2127     2127

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdutton