- Notifications
You must be signed in to change notification settings - Fork396
Set minimal workflow token permissions#2773
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM. Thanks for this PR!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks for the changes@pnacht, they seem very useful and I'll probably apply this to other projects I maintain.
I left a very small question, but otherwise LGTM. I'd also like to chase that pipeline failure before merging -- it seems unrelated, but since your changes touch exactly this infrastructure I'd like to get all tests passing correctly and make surr nothing really breaks.
Uh oh!
There was an error while loading.Please reload this page.
pnacht commentedDec 11, 2023 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Yeah, I'm pretty sure this is unrelated, but I've just pushed a commit that undoes the change to main.yml. Feel free to approve the workflow to test this again. If it still fails, I'll re-apply the read-only token permissions). EDIT: Nevermind, I've unpushed that commit. Instead, please seethis PR on my fork. The test is failing even though the workflow workflow is unchanged on my main branch (3.12). |
Thanks again@pnacht for the changes! |
Fixes#2772.
This PR sets top-level read-only permissions on all CI/CD workflows. Jobs that require additional permissions (
stale.ymlandpr-comment.yml) are given them at the job-level.I made more significant changes in
pr-comment.yml. It is vulnerable to code injection, since it runs files controlled by the PR author (requirements.txtandscripts/list_missing_entries.py, taken from the PR). I have therefore modified the workflow to checkout those files from the base branch instead, ensuring we're running trusted versions of those files.And in order to minimize the code that has access to the
issues/pull-requests: writepermissions, I have separated the workflow into two sequential jobs:define-comment, which is unprivileged and does almost everythingwrite-comment, which has those additional permissions and uses them to perform the very last step of actually writing the comment on the PR.