Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+10
to
+36
| runs-on: 'ubuntu-latest' | ||
| name: detect-breaking-changes | ||
| if: github.repository == 'cloudflare/cloudflare-typescript' | ||
| steps: | ||
| - name: Calculate fetch-depth | ||
| run: | | ||
| echo "FETCH_DEPTH=$(expr ${{ github.event.pull_request.commits }} + 1)" >> $GITHUB_ENV | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| # Ensure we can check out the pull request base in the script below. | ||
| fetch-depth: ${{ env.FETCH_DEPTH }} | ||
|
|
||
| - name: Set up Node | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20' | ||
| - name: Install dependencies | ||
| run: | | ||
| yarn install | ||
| - name: Detect breaking changes | ||
| run: | | ||
| # Try to check out previous versions of the breaking change detection script. This ensures that | ||
| # we still detect breaking changes when entire files and their tests are removed. | ||
| git checkout "${{ github.event.pull_request.base.sha }}" -- ./scripts/detect-breaking-changes 2>/dev/null || true | ||
| ./scripts/detect-breaking-changes ${{ github.event.pull_request.base.sha }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
- In general, fix this by adding an explicit
permissions:block that grants only the minimal scopes required by the job. This can be defined at the workflow root (applies to all jobs) or within the specific job. - For this workflow, the visible steps only require reading repository contents. There is no evidence of any operation that needs write access (no pushes, no issue/PR mutations, etc.). The single best fix is to add
permissions: contents: readat the job level fordetect_breaking_changes. This documents the intent and prevents the job from inheriting potentially broader default permissions. - Concretely, in
.github/workflows/detect-breaking-changes.yml, modify thedetect_breaking_changesjob definition (around line 9–13) to introduce apermissions:block betweenname:andif:(or between any job-level keys, as long as indentation is correct). - No new methods, imports, or other definitions are needed; this is purely a YAML configuration change.
Suggested changeset
1
.github/workflows/detect-breaking-changes.yml
| @@ -9,6 +9,8 @@ | ||
| detect_breaking_changes: | ||
| runs-on: 'ubuntu-latest' | ||
| name: detect-breaking-changes | ||
| permissions: | ||
| contents: read | ||
| if: github.repository == 'cloudflare/cloudflare-typescript' | ||
| steps: | ||
| - name: Calculate fetch-depth |
Copilot is powered by AI and may make mistakes. Always verify output.
stainless-app
bot
force-pushed
the
release-please--branches--main--changes--next--components--cloudflare
branch
4 times, most recently
from
e11a06e to
ea7ea04
Compare
stainless-app
bot
force-pushed
the
release-please--branches--main--changes--next--components--cloudflare
branch
from
ea7ea04 to
2404427
Compare
* feat(fraud): public docs for fraud API
… subresources * fix: add backward-compatible methods for origin_tls_client_auth Adds deprecated parent-level methods (list, get, create, delete) to maintain backward compatibility with existing SDK users while preserving the clean cache-style resource structure. Changes: - Add 4 deprecated methods at parent level pointing to zone cert endpoints - Methods generate client.OriginTLSClientAuth.New/List/Get/Delete() paths - Deprecation messages guide users to zone_certificates.* subresource - Zero breaking changes - existing SDK code continues to work - New explicit paths available at ZoneCertificates.* and HostnameCertificates.* This follows the proven KV namespace dual-path pattern (lines 2730-2752) where the same endpoint generates methods at both parent and child levels. Related: SECENG-12971 * refactor(terraform): restructure origin_tls_client_auth to peer subresources Restructure origin_tls_client_auth to have all 4 terraform resources as sibling subresources: - zone_certificates → authenticated_origin_pulls_certificate - hostnames → authenticated_origin_pulls - hostname_certificates → authenticated_origin_pulls_hostname_certificate - settings → authenticated_origin_pulls_settings Add id_property annotations to all CRUD methods. Closes SECENG-12971, SECENG-12970, SECENG-13210
* feat(api): add AI Gateway Dynamic Routing endpoints
stainless-app
bot
force-pushed
the
release-please--branches--main--changes--next--components--cloudflare
branch
from
2404427 to
4f7ed64
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated Release PR
6.0.0-beta.2 (2026-02-18)
Full Changelog: v6.0.0-beta.1...v6.0.0-beta.2
Features
Bug Fixes
Chores
This pull request is managed by Stainless's GitHub App.
The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.
For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.
🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions