Skip to content

Fix governance-sentinel workflow (Q6): valid perms + optional admin-read PAT#2

Merged
MSD21091969 merged 1 commit into
mainfrom
hardening/q6-sentinel-fix
Jul 7, 2026
Merged

Fix governance-sentinel workflow (Q6): valid perms + optional admin-read PAT#2
MSD21091969 merged 1 commit into
mainfrom
hardening/q6-sentinel-fix

Conversation

@MSD21091969

Copy link
Copy Markdown
Contributor

Fixes a bug in the just-merged governance-sentinel (hardening Q6).

Two problems with the merged version:

  1. permissions: administration: read is not a valid workflow permission key → GitHub can't parse the file, so it never runs (422 on dispatch: Unexpected value 'administration').
  2. Deeper: the default GITHUB_TOKEN cannot be granted ruleset-read (repos/<r>/rulesets needs the Administration:read repo permission, which has no workflow-permissions key).

This fix:

  • drops the invalid administration key (valid contents: read + issues: write only);
  • reads with ${{ secrets.GOVERNANCE_READ_TOKEN || github.token }} — set a fine-grained PAT secret GOVERNANCE_READ_TOKEN (Administration:read on this repo) to make the check live; without it the ruleset read 403s and the workflow SAFE-NO-OPS (logs a note, opens no issue — never false-alarms).

So it's valid + parseable now, and upgrades to functional the moment the PAT secret is added.

authored-by: agent:claude-cowork.hp-z440 / session:sam.z440-cowork-workspace / t248-hardening-close

… for ruleset read (Q6)

authored-by: agent:claude-cowork.hp-z440 / session:sam.z440-cowork-workspace / t248-hardening-close
Copilot AI review requested due to automatic review settings July 7, 2026 02:30

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the governance-sentinel GitHub Actions workflow so it becomes parseable/dispatchable again and can optionally use a fine-grained PAT to read repository rulesets (which the default GITHUB_TOKEN cannot access).

Changes:

  • Removes the invalid workflow permission key administration: read to prevent workflow parsing/dispatch failures.
  • Prefers ${{ secrets.GOVERNANCE_READ_TOKEN || github.token }} for gh api authentication so ruleset reads can work when a PAT is configured.
  • Makes the “permission missing” path explicitly safe-no-op (warning only, no issue created).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +10 to +14
# GITHUB_TOKEN (no `administration` key exists in a workflow `permissions:`
# block). So set a repo/org secret **GOVERNANCE_READ_TOKEN** = a fine-grained
# PAT with Administration:read on this repo; the step below prefers it and
# falls back to GITHUB_TOKEN. WITHOUT that secret the ruleset read 403s and the
# check SAFE-NO-OPS (logs a note, opens no issue) — it never false-alarms.
@MSD21091969 MSD21091969 merged commit 6680144 into main Jul 7, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants