Skip to content

fix(ci): add top-level permissions and concurrency to workflows #12312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Jefsky wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(ci): add top-level permissions and concurrency to workflows #12312

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/api-update-electron-api-types.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,14 @@ name: 'Api: Update Electron API Types'
on:
workflow_dispatch:

permissions:
contents: write
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
update-electron-types:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -46,3 +54,4 @@ jobs:
labels: |
dependencies
Electron

9 changes: 9 additions & 0 deletions .github/workflows/api-update-manager-api-types.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,14 @@ on:
required: true
default: 'main'

permissions:
contents: write
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
update-manager-types:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -104,3 +112,4 @@ jobs:
delete-branch: true
add-paths: |
src/types/generatedManagerTypes.ts

8 changes: 8 additions & 0 deletions .github/workflows/ci-json-validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,18 @@ on:
paths:
- '**/*.json'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
json-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Validate JSON syntax
run: ./scripts/cicd/check-json.sh

8 changes: 8 additions & 0 deletions .github/workflows/ci-python-validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ on:
paths:
- 'tools/devtools/**'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
syntax:
runs-on: ubuntu-latest
Expand All @@ -25,3 +32,4 @@ jobs:

- name: Validate Python syntax
run: python3 -m compileall -q tools/devtools

8 changes: 8 additions & 0 deletions .github/workflows/ci-shell-validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,13 @@ on:
paths:
- '**/*.sh'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
shell-lint:
runs-on: ubuntu-latest
Expand All @@ -24,3 +31,4 @@ jobs:

- name: Run shellcheck
run: bash ./scripts/cicd/check-shell.sh

5 changes: 5 additions & 0 deletions .github/workflows/ci-tests-storybook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
push:
branches: [main]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Comment on lines +10 to +12
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit workflow-level permission baseline.

This workflow still leaves storybook-build, chromatic-deployment, and deploy-production on the repository default GITHUB_TOKEN scopes. That undercuts the least-privilege hardening this PR is applying elsewhere. Add a top-level permissions: contents: read here and keep the existing job-level overrides for the PR-comment jobs.

Suggested patch 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-tests-storybook.yaml around lines 10 - 12, Add a
workflow-level permissions baseline by declaring a top-level "permissions:
contents: read" in the workflow YAML so the workflow no longer inherits broader
repository GITHUB_TOKEN scopes; keep the existing job-level permission overrides
for the PR-comment-related jobs (e.g., storybook-build, chromatic-deployment,
deploy-production) intact to maintain their specific privileges while enforcing
least-privilege for the whole workflow that currently contains the "concurrency"
block with "group" and "cancel-in-progress".


jobs:
changes:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -240,3 +244,4 @@ jobs:
body: updatedBody
});
}

8 changes: 8 additions & 0 deletions .github/workflows/ci-yaml-validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,13 @@ on:
- '**/*.yml'
- '**/*.yaml'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
yaml-lint:
runs-on: ubuntu-latest
Expand All @@ -31,3 +38,4 @@ jobs:

- name: Validate YAML syntax and style
run: ./scripts/cicd/check-yaml.sh

5 changes: 5 additions & 0 deletions .github/workflows/cloud-backport-tag.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
types: ['closed']
branches: [cloud/*]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
create-tag:
if: >
Expand Down Expand Up @@ -67,3 +71,4 @@ jobs:
echo "Version: ${VERSION}"
echo "Commit: ${{ github.event.pull_request.merge_commit_sha }}"
} >> "$GITHUB_STEP_SUMMARY"

5 changes: 5 additions & 0 deletions .github/workflows/cloud-dispatch-cleanup.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:

permissions: {}

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
dispatch:
# Only dispatch when:
Expand All @@ -37,3 +41,4 @@ jobs:
event-type: frontend-preview-cleanup
client-payload: >-
{"pr_number": "${{ github.event.pull_request.number }}"}

9 changes: 9 additions & 0 deletions .github/workflows/i18n-update-core.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ on:
branches: [main]
types: [opened, synchronize, reopened]

permissions:
contents: write
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
update-locales:
# Branch detection: Only run for manual dispatch or version-bump-* branches from main repo
Expand Down Expand Up @@ -59,3 +67,4 @@ jobs:
git add src/locales/
git diff --staged --quiet || git commit -m "Update locales"
git push origin HEAD:${{ github.head_ref }}

9 changes: 9 additions & 0 deletions .github/workflows/i18n-update-custom-nodes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,14 @@ on:
type: string
default: 'Comfy-Org'

permissions:
contents: write
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
update-locales:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -134,3 +142,4 @@ jobs:
gh pr create --title "Update locales for ${{ inputs.repository }}" --repo ${{ inputs.owner }}/${{ inputs.repository }} --head ${{ inputs.fork_owner }}:update-locales --body "Update locales for ${{ inputs.repository }}"
env:
GH_TOKEN: ${{ secrets.PR_GH_TOKEN }}

9 changes: 9 additions & 0 deletions .github/workflows/i18n-update-nodes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ on:
type: string
default: 'manual'

permissions:
contents: write
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
update-locales:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -52,3 +60,4 @@ jobs:
branch: update-locales-node-defs-${{ github.event.inputs.trigger_type }}-${{ github.run_id }}
base: main
labels: dependencies

8 changes: 8 additions & 0 deletions .github/workflows/model-page-discovery.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ on:
- cron: '0 9 * * 1'
workflow_dispatch:

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
discover:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -121,3 +128,4 @@ jobs:
- name: No new models found
if: steps.compare.outputs.new_count == '0'
run: echo "No new models found — nothing to do."

5 changes: 5 additions & 0 deletions .github/workflows/pr-request-team-review.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
permissions:
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
request-review:
if: >-
Expand All @@ -22,3 +26,4 @@ jobs:
gh pr edit ${{ github.event.pull_request.number }} \
--repo ${{ github.repository }} \
--add-reviewer Comfy-org/comfy_frontend_devs

5 changes: 5 additions & 0 deletions .github/workflows/publish-desktop-ui-on-merge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
paths:
- 'apps/desktop-ui/package.json'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
resolve:
name: Resolve Version and Dist Tag
Expand Down Expand Up @@ -81,3 +85,4 @@ jobs:
with:
issue-number: ${{ github.event.pull_request.number }}
version_file: apps/desktop-ui/package.json

5 changes: 5 additions & 0 deletions .github/workflows/release-biweekly-comfyui.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ on:
default: 'Comfy-Org/ComfyUI'
type: string

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
check-release-week:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -456,3 +460,4 @@ jobs:
echo "" >> $GITHUB_STEP_SUMMARY
echo "### PR Body:" >> $GITHUB_STEP_SUMMARY
cat pr-body.txt >> $GITHUB_STEP_SUMMARY

5 changes: 5 additions & 0 deletions .github/workflows/release-branch-create.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
paths:
- 'package.json'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
create-release-branch:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -279,3 +283,4 @@ jobs:
3. Create a PR targeting that branch
4. Apply the matching \`core/x.y\` or \`cloud/x.y\` label
EOF

5 changes: 5 additions & 0 deletions .github/workflows/release-draft-create.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
paths:
- 'package.json'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -130,3 +134,4 @@ jobs:
with:
issue-number: ${{ github.event.pull_request.number }}
version_file: package.json

5 changes: 5 additions & 0 deletions .github/workflows/release-pypi-dev.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
required: true
type: number

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -77,3 +81,4 @@ jobs:
with:
password: ${{ secrets.PYPI_TOKEN }}
packages-dir: comfyui_frontend_package/dist

5 changes: 5 additions & 0 deletions .github/workflows/version-bump-desktop-ui.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ on:
default: 'main'
type: string

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
bump-version-desktop-ui:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -90,3 +94,4 @@ jobs:
base: ${{ github.event.inputs.branch }}
labels: |
Release