Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Lock live workflows read-only on main#4872

Merged
elias-ba merged 1 commit into
sandbox-devx from
4857-readonly-live-lock
Jun 16, 2026
Merged

Lock live workflows read-only on main #4872
elias-ba merged 1 commit into
sandbox-devx from
4857-readonly-live-lock

Conversation

@elias-ba

@elias-ba elias-ba commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Description

Makes a :live workflow read-only on its own (non-sandbox) project. Adds Lightning.Workflows.editable_state?/2 and ANDs it into the workflow channel's can_edit_workflow permission, so the collaborative editor's existing read-only path (disabled Save, trigger toggle, and Monaco) applies automatically. Drafts are always editable, and the cloned workflow inside a sandbox stays editable.

Part of #4857. Targets the sandbox-devx integration branch, not main. Independent of the transitions PR (#4869); only needs the state field.

Validation steps

  1. Open a :live workflow on a normal (non-sandbox) project in the collaborative editor and confirm it is read-only.
  2. Open a :draft workflow and confirm it is editable.
  3. Open that workflow's clone inside a sandbox and confirm it is editable.

Additional notes for the reviewer

AI Usage

Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):

  • I have used Claude Code
  • I have used another model
  • I have not used AI

You can read more details in our
Responsible AI Policy

Pre-submission checklist

  • I have performed an AI review of my code (we recommend using /review
    with Claude Code)
  • I have implemented and tested all related authorization policies.
    (extends the existing :edit_workflow permission with a lifecycle check)
  • I have updated the changelog. (deferred to the final epic PR)
  • I have ticked a box in "AI usage" in this PR
 

Adds Workflows.editable_state?/2 and ANDs it into the workflow channel's
can_edit_workflow, so a :live workflow on a non-sandbox project is read-only
(the editor's existing read-only path then applies). Drafts and the cloned
workflow inside a sandbox stay editable.
Part of #4857

Copy link
Copy Markdown

Security Review ✅

  • S0 (project scoping): N/A — editable_state?/2 operates on pre-loaded workflow and project structs from socket.assigns (workflow_channel.ex:239); no new queries or param-derived project lookups.
  • S1 (authorization): PASS — change tightens edit gating by ANDing editable_state? into the existing Permissions.can?(:edit_workflow, ...) check (workflow_channel.ex:910–913), so live workflows on a non-sandbox project become read-only without loosening any existing role check.
  • S2 (audit trail): N/A — change is a permission gate only; no new Repo.insert/update/delete on workflows or other config resources.

codecov Bot commented Jun 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (sandbox-devx@4f5f8b4). Learn more about missing BASE report.

Additional details and impacted files 
@@ Coverage Diff @@
## sandbox-devx #4872 +/- ##
==============================================
 Coverage ? 90.5% 
==============================================
 Files ? 445 
 Lines ? 22726 
 Branches ? 0 
==============================================
 Hits ? 20566 
 Misses ? 2160 
 Partials ? 0

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@elias-ba elias-ba merged commit 60709be into sandbox-devx Jun 16, 2026
8 checks passed
@elias-ba elias-ba deleted the 4857-readonly-live-lock branch June 16, 2026 16:15
@github-project-automation github-project-automation Bot moved this from New Issues to Done in Core Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Projects

Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

AltStyle によって変換されたページ (->オリジナル) /