Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github/workflows: set read-only default permissions to approve workflow #18368

Merged
merged 1 commit into from
Jul 29, 2024
Merged

github/workflows: set read-only default permissions to approve workflow #18368

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/gh-workflow-approve.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
---
name: Approve GitHub Workflows
permissions: read-all
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably something like below?

permissions:
  actions:write

Copy link
Member

@serathius serathius Jul 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should work! Thanks, I forgot that the issue is about the default permission.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was initially going to set it with explicit permission at the top of the file. However, I based this implementation on other workflows. For example, the scorecard workflow declares the read-all permission at the top of the file:

etcd/.github/workflows/scorecards.yml

Lines 11 to 12 in f00ceb6

# Declare default permissions as read only.
permissions: read-all

Then, in the job, sets the write permissions:

etcd/.github/workflows/scorecards.yml

Lines 18 to 22 in f00ceb6

permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Used to receive a badge.
id-token: write

I tested it on my fork, and seems to work fine: https://github.com/ivanvc/etcd/actions/runs/10115486985/job/27976358983?pr=210

Let me know if you still want me to change this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I just realised that you already added at the job level,

permissions:
  actions:write

https://github.com/ivanvc/etcd/blob/5a02298ad5a947214ba02655b0a93ac01d4c178a/.github/workflows/gh-workflow-approve.yaml#L20-L21

Looks good to me.


on:
pull_request_target:
Expand Down
Loading