Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd88bff3

Browse files
pnachtrtobar
andauthored
Set minimal workflow token permissions (#2773)
Fixes#2772.This PR sets top-level read-only permissions on all CI/CD workflows.Jobs that require additional permissions (`stale.yml` and`pr-comment.yml`) are given them at the job-level.I made more significant changes in `pr-comment.yml`. It is vulnerable tocode injection, since it runs files controlled by the PR author(`requirements.txt` and `scripts/list_missing_entries.py`, taken fromthe PR). I have therefore modified the workflow to checkout those filesfrom the base branch instead, ensuring we're running trusted versions ofthose files.And in order to minimize the code that has access to the`issues/pull-requests: write` permissions, I have separated the workflowinto two sequential jobs:1. `define-comment`, which is unprivileged and does almost everything2. `write-comment`, which has those additional permissions and uses themto perform the very last step of actually writing the comment on the PR.---------Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>Co-authored-by: rtobar <rtobarc@gmail.com>
1 parentc5908f4 commitd88bff3

File tree

3 files changed

+37
-5
lines changed

3 files changed

+37
-5
lines changed

‎.github/workflows/main.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
-3.*
77
pull_request:
88

9+
permissions:
10+
contents:read
11+
912
jobs:
1013
test:
1114
name:Test

‎.github/workflows/pr-comment.yml

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,16 @@ name: Agrega comentario a PR
33
on:
44
pull_request_target:
55

6+
permissions:
7+
contents:read
8+
69
jobs:
7-
pr-comment:
10+
define-comment:
811
name:Entradas sin traducción
912
runs-on:ubuntu-22.04
13+
outputs:
14+
any_changed:${{ steps.changed-files.outputs.any_changed }}
15+
comment:${{ steps.create-pr-comment.outputs.comment }}
1016
steps:
1117
-uses:actions/checkout@v4
1218
with:
@@ -17,9 +23,18 @@ jobs:
1723
with:
1824
python-version:"3.11"
1925
cache:"pip"
26+
# checkout these files from the base branch to guarantee they haven't been
27+
# modified by the PR
28+
-uses:actions/checkout@v4
29+
with:
30+
path:base-branch
31+
sparse-checkout-cone-mode:false
32+
sparse-checkout:|
33+
requirements.txt
34+
scripts/list_missing_entries.py
2035
-name:Instalar dependencias
2136
run:|
22-
python -m pip install -r requirements.txt
37+
python -m pip install -rbase-branch/requirements.txt
2338
-name:Obtiene lista de archivos con cambios
2439
id:changed-files
2540
uses:tj-actions/changed-files@v40
@@ -34,12 +49,20 @@ jobs:
3449
run:|
3550
{
3651
echo 'comment<<EOF'
37-
python scripts/list_missing_entries.py --github $CHANGED_PO_FILES
52+
pythonbase-branch/scripts/list_missing_entries.py --github $CHANGED_PO_FILES
3853
echo EOF
3954
} >> "$GITHUB_OUTPUT"
55+
56+
write-comment:
57+
runs-on:ubuntu-22.04
58+
needs:[define-comment]
59+
if:needs.define-comment.outputs.any_changed == 'true'
60+
permissions:
61+
issues:write
62+
pull-requests:write
63+
steps:
4064
-name:Agregar comentario con entradas faltantes
41-
if:steps.changed-files.outputs.any_changed == 'true'
4265
uses:thollander/actions-comment-pull-request@v2
4366
with:
44-
message:${{steps.create-pr-comment.outputs.comment }}
67+
message:${{needs.define-comment.outputs.comment }}
4568
comment_tag:missing-entries

‎.github/workflows/stale.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,15 @@ on:
33
schedule:
44
-cron:'30 1 * * *'
55

6+
permissions:
7+
contents:read
8+
69
jobs:
710
stale:
811
runs-on:ubuntu-latest
12+
permissions:
13+
issues:write
14+
pull-requests:write
915
steps:
1016
-uses:actions/stale@v8
1117
with:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp