Skip to content

chore: harden dprint config and CI permissions#59

Merged
codepuncher merged 2 commits into
mainfrom
chore/ci-tooling-hardening
Jun 20, 2026
Merged

chore: harden dprint config and CI permissions#59
codepuncher merged 2 commits into
mainfrom
chore/ci-tooling-hardening

Conversation

@codepuncher

@codepuncher codepuncher commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Two small, independent hardening changes (one commit each).

Exclude submodules and build dirs from dprint

dprint.json's includes: ["README.md"] glob matches every README.md in the tree, so a bare dprint fmt recurses into the lib/ submodules (commonlibsse-ng, vcpkg, skse-mcp) and reformats their READMEs, dirtying the working trees. The CI dprint check and the pre-commit hook are unaffected because they pass explicit paths — but a local dprint fmt hits it. Adds excludes: [lib/**, build/**, vcpkg_installed/**].

Drop unused actions: write permission

The test, build, and clang-tidy jobs in ci.yml only use actions/cache and upload-artifact, neither of which needs the actions scope. Removed for least privilege. (release.yml already omits it.)

Verification

  • Bare dprint fmt now touches nothing; submodules stay clean; dprint check still passes on the repo's own docs.
  • ci.yml still parses as valid YAML.

@codepuncher
chore: exclude submodules and build dirs from dprint
e26fb71
@codepuncher
chore(ci): drop unused actions: write permission
16f4e84 
The test, build, and clang-tidy jobs only use actions/cache and
upload-artifact, neither of which needs the actions scope. Drop it for
least privilege.
Copilot AI review requested due to automatic review settings June 20, 2026 11:57
Copilot AI reviewed Jun 20, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens local formatting and GitHub Actions permissions by preventing dprint fmt from touching vendored/submodule trees and tightening CI job token scopes.

Changes:

  • Add excludes patterns to dprint.json to avoid formatting files in lib/, build/, and vcpkg_installed/.
  • Remove actions: write from the test, build, and clang-tidy jobs’ permissions blocks in ci.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
dprint.json Adds exclude globs so repo-local formatting doesn’t recurse into submodules/build outputs.
.github/workflows/ci.yml Drops unused actions: write job permission to reduce CI token privileges.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codepuncher codepuncher merged commit b15096f into main Jun 20, 2026
14 checks passed
@codepuncher codepuncher deleted the chore/ci-tooling-hardening branch June 20, 2026 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codepuncher