Declare permissions #15493
Declare permissions #15493
Conversation
|
To make the Check change note workflow happy, please add |
angelapwen
left a comment
angelapwen
left a comment
There was a problem hiding this comment.
I looked at your fork of the repo, which has identical permissions and works 👍 thank you for the contribution!
jsoref
force-pushed
the
declare-permissions
branch
from
b997f22 to
c5a047d
Compare
angelapwen
left a comment
angelapwen
left a comment
There was a problem hiding this comment.
Blocking merge until the other comments are addressed 😄
jsoref
force-pushed
the
declare-permissions
branch
from
9da590e to
301cfcc
Compare
aeisenberg
left a comment
aeisenberg
left a comment
There was a problem hiding this comment.
Thanks for contributing this. I like that this narrows the permissions of all of our tokens.
I think .github/workflows/csv-coverage-update.yml is broken. I have a few other suggestions that will allow you to narrow the permissions. security-events is only required if we are reading or writing SARIF to or from code scanning.
I do have a concern that these jobs haven't been run. Are you able to trigger them in your fork to make sure all permissions are correct?
What we do in other repos and can do here (but best to wait for a followup PR) is to add a chunk that ensures the workflow file is run whenever the workflow file itself is modified.
eg-
pull_request:
paths:
- '.github/workflows/csv-coverage-timeseries.yml'
(and similar for all other workflow files)
|
@aeisenberg: the design of these workflows is really painful.
|
jsoref
force-pushed
the
declare-permissions
branch
from
301cfcc to
0f2888b
Compare
| uses: github/codeql-action/init@v2 | ||
| uses: github/codeql-action/init@main |
There was a problem hiding this comment.
@aeisenberg says:
All of it really should be using
@mainsince we want to test on the latest in case we break something.
aeisenberg
left a comment
aeisenberg
left a comment
There was a problem hiding this comment.
Partial review. I'm finding it hard to verify that this PR is correct.
aeisenberg
left a comment
aeisenberg
left a comment
There was a problem hiding this comment.
This is looking good to me, but since this change affects lots of files, I'd like someone else to approve as well.
angelapwen
left a comment
angelapwen
left a comment
There was a problem hiding this comment.
Some questions in comments. Also, I still see a bunch of security-events: read permissions here: are those necessary? I see that they were able to be dropped from a few workflows because of the changes you'd made in the Action 😄
jsoref
force-pushed
the
declare-permissions
branch
from
f93e918 to
62d530c
Compare
Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably.
jsoref
force-pushed
the
declare-permissions
branch
from
62d530c to
b58c856
Compare
|
Thank you for your patience and of course contributions @jsoref!! Merging now 💕 |
3 participants
Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably.
closes #15462