ci: add explicit permissions to workflow jobs by yonib05 · Pull Request #2388 · strands-agents/harness-sdk

yonib05 · 2026-05-29T18:28:48Z

Summary

Add permissions: {} to ci-gate job in ci.yml (uses no token, so empty permissions is correct)
Add permissions: { contents: read, issues: write } to check-links job in python-check-markdown-links.yml

Test plan

Verify CI workflow still passes (ci-gate job uses no token)
Verify markdown link checker still works with the declared permissions

github-actions · 2026-05-29T18:31:35Z

Assessment: Approve

Clean and well-scoped security hardening PR. The workflow permission declarations follow the principle of least privilege correctly (permissions: {} for ci-gate which needs no token, and contents: read + issues: write for the link checker which needs exactly those). The aws-cdk-lib bump is consistent across all four CDK examples and resolves documented transitive vulnerabilities.

Review Notes

Workflow Permissions: Both additions are correct and minimal — no over-provisioning.
Dependency Updates: The aws-cdk-lib 2.192.0 → 2.257.0 bump is a minor-version update within CDK v2, low risk for example projects. Lock file churn accounts for virtually all the line count.
Scope: No production code or API changes — purely CI/infrastructure.

Straightforward security improvement — LGTM.

codecov · 2026-05-29T18:33:20Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

github-actions · 2026-05-29T18:36:50Z

Documentation Preview Ready

Your documentation preview has been successfully deployed!

Preview URL: https://d3ehv1nix5p99z.cloudfront.net/pr-cms-2388/docs/user-guide/quickstart/overview/

Updated at: 2026-06-05T20:11:17.400Z

- Add permissions: {} to ci-gate job (needs no token access) - Add permissions: contents: read, issues: write to check-links job (reads repo, may create issues)

github-actions · 2026-06-05T20:09:30Z

Assessment: Approve

Clean security-hardening PR. The workflow permission additions follow the principle of least privilege correctly, and the lock file regenerations resolve documented transitive dependency vulnerabilities.

Review Notes

Workflow Permissions: permissions: {} for ci-gate is correct (no token needed for re-actors/alls-green). contents: read + issues: write for check-links matches exactly what the job requires (checkout + issue creation).
Lock Files: All changes are lock file churn from the aws-cdk-lib bump and qs advisory resolution — no production code or API surface affected.
Scope: Appropriately scoped to CI/infrastructure only.

github-actions · 2026-06-05T20:10:56Z

Assessment: Approve

Straightforward security hardening — both permission declarations are minimal and correct for their respective jobs.

Verification

ci-gate → permissions: {}: Job only runs re-actors/alls-green to aggregate other job statuses; no checkout, no token usage — empty permissions is the right call.
check-links → contents: read + issues: write: Exactly what's needed for actions/checkout and the github.rest.issues.create() / listForRepo() calls in the script.

zastrowm · 2026-06-08T13:36:49Z

@@ -8,6 +8,9 @@ on:
 jobs:
  check-links:


Does this actually work? I didn't even know this was a workflow we maintained

github-actions Bot added the size/xl label May 29, 2026

yonib05 temporarily deployed to auto-approve May 29, 2026 18:29 — with GitHub Actions Inactive

yonib05 had a problem deploying to auto-approve May 29, 2026 18:29 — with GitHub Actions Failure

yonib05 had a problem deploying to auto-approve May 29, 2026 18:29 — with GitHub Actions Error

github-actions Bot added the strands-running label May 29, 2026

yonib05 force-pushed the fix/workflow-permissions-and-deps branch from a2984c1 to 2d74cb8 Compare May 29, 2026 18:31

github-actions Bot added size/xl and removed size/xl labels May 29, 2026

yonib05 temporarily deployed to auto-approve May 29, 2026 18:31 — with GitHub Actions Inactive

yonib05 had a problem deploying to auto-approve May 29, 2026 18:31 — with GitHub Actions Failure

github-actions Bot removed the strands-running label May 29, 2026

yonib05 temporarily deployed to auto-approve May 29, 2026 18:31 — with GitHub Actions Inactive

github-actions Bot added strands-running and removed strands-running labels May 29, 2026

zastrowm previously approved these changes May 29, 2026

View reviewed changes

yonib05 force-pushed the fix/workflow-permissions-and-deps branch from 2d74cb8 to dbd2952 Compare June 1, 2026 16:58

github-actions Bot removed the size/xl label Jun 1, 2026

yonib05 had a problem deploying to auto-approve June 1, 2026 17:02 — with GitHub Actions Failure

github-actions Bot added the size/xl label Jun 1, 2026

yonib05 temporarily deployed to auto-approve June 1, 2026 17:02 — with GitHub Actions Inactive

yonib05 had a problem deploying to auto-approve June 1, 2026 17:02 — with GitHub Actions Failure

yonib05 temporarily deployed to auto-approve June 1, 2026 17:02 — with GitHub Actions Inactive

github-actions Bot added strands-running and removed strands-running labels Jun 1, 2026

ci: add explicit permissions to workflow jobs

6a7faed

- Add permissions: {} to ci-gate job (needs no token access) - Add permissions: contents: read, issues: write to check-links job (reads repo, may create issues)

yonib05 dismissed zastrowm’s stale review via 831bd02 June 5, 2026 20:06

yonib05 force-pushed the fix/workflow-permissions-and-deps branch from dbd2952 to 831bd02 Compare June 5, 2026 20:06

github-actions Bot added size/xl and removed size/xl labels Jun 5, 2026

yonib05 temporarily deployed to auto-approve June 5, 2026 20:06 — with GitHub Actions Inactive

yonib05 had a problem deploying to auto-approve June 5, 2026 20:06 — with GitHub Actions Failure

github-actions Bot added the strands-running label Jun 5, 2026

yonib05 force-pushed the fix/workflow-permissions-and-deps branch from 831bd02 to 6a7faed Compare June 5, 2026 20:08

github-actions Bot added size/xs and removed size/xl labels Jun 5, 2026

yonib05 temporarily deployed to auto-approve June 5, 2026 20:09 — with GitHub Actions Inactive

github-actions Bot removed the strands-running label Jun 5, 2026

yonib05 changed the title ~~ci: add workflow permissions and update vulnerable dependencies~~ ci: add explicit permissions to workflow jobs Jun 5, 2026

zastrowm approved these changes Jun 8, 2026

View reviewed changes

zastrowm reviewed Jun 8, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: add explicit permissions to workflow jobs#2388

ci: add explicit permissions to workflow jobs#2388
yonib05 wants to merge 1 commit into
strands-agents:mainfrom
yonib05:fix/workflow-permissions-and-deps

yonib05 commented May 29, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 29, 2026

Uh oh!

codecov Bot commented May 29, 2026

Uh oh!

github-actions Bot commented May 29, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Jun 5, 2026

Uh oh!

github-actions Bot commented Jun 5, 2026

Uh oh!

zastrowm Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

yonib05 commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Uh oh!

github-actions Bot commented May 29, 2026

Uh oh!

codecov Bot commented May 29, 2026

Codecov Report

Uh oh!

github-actions Bot commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Documentation Preview Ready

Uh oh!

github-actions Bot commented Jun 5, 2026

Uh oh!

github-actions Bot commented Jun 5, 2026

Uh oh!

zastrowm Jun 8, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

yonib05 commented May 29, 2026 •

edited

Loading

github-actions Bot commented May 29, 2026 •

edited

Loading