Conversation
* feat(fraud): public docs for fraud API
… subresources * fix: add backward-compatible methods for origin_tls_client_auth Adds deprecated parent-level methods (list, get, create, delete) to maintain backward compatibility with existing SDK users while preserving the clean cache-style resource structure. Changes: - Add 4 deprecated methods at parent level pointing to zone cert endpoints - Methods generate client.OriginTLSClientAuth.New/List/Get/Delete() paths - Deprecation messages guide users to zone_certificates.* subresource - Zero breaking changes - existing SDK code continues to work - New explicit paths available at ZoneCertificates.* and HostnameCertificates.* This follows the proven KV namespace dual-path pattern (lines 2730-2752) where the same endpoint generates methods at both parent and child levels. Related: SECENG-12971 * refactor(terraform): restructure origin_tls_client_auth to peer subresources Restructure origin_tls_client_auth to have all 4 terraform resources as sibling subresources: - zone_certificates → authenticated_origin_pulls_certificate - hostnames → authenticated_origin_pulls - hostname_certificates → authenticated_origin_pulls_hostname_certificate - settings → authenticated_origin_pulls_settings Add id_property annotations to all CRUD methods. Closes SECENG-12971, SECENG-12970, SECENG-13210
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: 'ubuntu-latest' | ||
| name: detect-breaking-changes | ||
| if: github.repository == 'cloudflare/cloudflare-typescript' | ||
| steps: | ||
| - name: Calculate fetch-depth | ||
| run: | | ||
| echo "FETCH_DEPTH=$(expr ${{ github.event.pull_request.commits }} + 1)" >> $GITHUB_ENV | ||
|
|
||
| - uses: actions/checkout@v6 | ||
| with: | ||
| # Ensure we can check out the pull request base in the script below. | ||
| fetch-depth: ${{ env.FETCH_DEPTH }} | ||
|
|
||
| - name: Set up Node | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20' | ||
| - name: Install dependencies | ||
| run: | | ||
| yarn install | ||
|
|
||
| - name: Detect breaking changes | ||
| run: | | ||
| # Try to check out previous versions of the breaking change detection script. This ensures that | ||
| # we still detect breaking changes when entire files and their tests are removed. | ||
| git checkout "${{ github.event.pull_request.base.sha }}" -- ./scripts/detect-breaking-changes 2>/dev/null || true | ||
| ./scripts/detect-breaking-changes ${{ github.event.pull_request.base.sha }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
At a high level, the fix is to add an explicit permissions block to the workflow or to the specific job, limiting the GITHUB_TOKEN to the minimal scopes needed. For this job, based on the shown steps (checkout, install, run a detection script using local git history), the minimal safe starting point is contents: read. This aligns with GitHub’s recommendation and the CodeQL suggestion.
The best fix with minimal behavior change is to add a job-level permissions section under detect_breaking_changes, right alongside runs-on and name. That way, only this job is affected, and other jobs (if any, not shown) remain unchanged. We will set:
permissions:
contents: readNo other changes to steps, actions versions, or logic are required. Concretely, in .github/workflows/detect-breaking-changes.yml, between line 10 (runs-on: 'ubuntu-latest') and line 11 (name: detect-breaking-changes), we will insert the permissions block indented two spaces to align with other job keys. No imports or additional methods are needed since this is a YAML configuration change only.
| @@ -8,6 +8,8 @@ | ||
| jobs: | ||
| detect_breaking_changes: | ||
| runs-on: 'ubuntu-latest' | ||
| permissions: | ||
| contents: read | ||
| name: detect-breaking-changes | ||
| if: github.repository == 'cloudflare/cloudflare-typescript' | ||
| steps: |
stainless-app
bot
deleted the
release-please--branches--main--changes--next--components--cloudflare
branch
Automated Release PR
6.0.0-beta.2 (2026-01-26)
Full Changelog: v6.0.0-beta.1...v6.0.0-beta.2
Features
Bug Fixes
Chores
This pull request is managed by Stainless's GitHub App.
The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.
For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.
🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions