From 05f06cf386fb831afeadfaa2af76c9b4fbf71a61 Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Sun, 8 Mar 2026 01:31:19 +0100
Subject: [PATCH] =?UTF-8?q?ci:=20security=20review=20=E2=80=94=20add=20PR?=
 =?UTF-8?q?=20test=20trigger,=20explicit=20permissions=20on=20all=20jobs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- test.yml: add pull_request trigger (safe — permissions: {}, no secrets
  referenced; pull_request event from forks gets no secrets and read-only token)
- stale.yml: add explicit permissions (issues: write, pull-requests: write)
  instead of relying on potentially over-broad repo defaults
- docker-build-pr.yml: add actions: write permission required for GHA
  cache writes (cache-to: type=gha)

Remaining known limitation: actions are pinned to tags (@v3/@v6) rather
than SHAs — moving a tag upstream would run arbitrary code. Low risk for
official Docker/GitHub actions but worth noting.

ci: remove cache-to from PR build, drop actions: write permission

PR builds read from the GHA cache (warmed by main branch pushes) but
don't write back. This avoids needing actions: write on a job that runs
untrusted PR code.

ci: restrict test job permissions to zero

Zero out GITHUB_TOKEN permissions and remove the non-existent
ACTIONS_RUNNER_NO_SECRETS variable. No repo secrets are referenced
in this workflow, so the test runner has no credentials available.
The workflow only triggers on push to protected branches (not PRs),
so code is reviewed before it runs.

ci: add test workflow to run unit/integration tests on push

Runs `npm test` (Vitest unit + integration tests) on every push to
main and develop. E2E tests are excluded as they require a full
Docker Compose stack.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/docker-build-pr.yml |  1 -
 .github/workflows/stale.yml           |  3 +++
 .github/workflows/test.yml            | 35 +++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/test.yml

diff --git a/.github/workflows/docker-build-pr.yml b/.github/workflows/docker-build-pr.yml
index e15502b0..84bc49e3 100644
--- a/.github/workflows/docker-build-pr.yml
+++ b/.github/workflows/docker-build-pr.yml
@@ -52,5 +52,4 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
-          cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 3a2ae9e8..fd69d6ec 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v10
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 00000000..2c017d40
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,35 @@
+name: Tests
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    # Zero out GITHUB_TOKEN permissions — tests have no external dependencies and
+    # need no credentials. No secrets: references in this workflow either, so no
+    # repo secrets are injected into the environment.
+    permissions: {}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run unit and integration tests
+        run: npm test