Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

common: harden GitHub Actions #6113

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

common: harden GitHub Actions #6113

wants to merge 1 commit into from
+51 −8

Conversation

osalyk
Copy link
Contributor

@osalyk osalyk commented Sep 18, 2024
edited by grom72
Loading

This change is Reviewable

@osalyk osalyk added sprint goal This pull request is part of the ongoing sprint no changelog Add to skip the changelog check on your pull request labels Sep 18, 2024
grom72
grom72 requested changes Sep 19, 2024
View reviewed changes
Copy link
Contributor

@grom72 grom72 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 17 of 17 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @osalyk)

a discussion (no related file):
DAOS uses an empty permissions: {} by default. Can we try if it also works for us, instead of contents: read?

osalyk
osalyk commented Sep 20, 2024
View reviewed changes
Copy link
Contributor Author

@osalyk osalyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @grom72)

a discussion (no related file):

Previously, grom72 (Tomasz Gromadzki) wrote…

DAOS uses an empty permissions: {} by default. Can we try if it also works for us, instead of contents: read?

Such a submission disables all access, I'm not sure we can do that.
image.png

janekmi
janekmi requested changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@janekmi janekmi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 17 of 17 files at r1, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @grom72 and @osalyk)

a discussion (no related file):

Previously, osalyk (Oksana Sałyk) wrote…

Such a submission disables all access, I'm not sure we can do that.
image.png

If you do this you will have to add jobs.<job_id>.permissions basically for all our jobs. The default permissions should be set according to what default makes sense in the project.

.github/workflows/main.yml line 15 at r1 (raw file):

  src_checkers:
    name: Source checkers
    runs-on: ubuntu-latest

contents: read is required by all of the jobs in this file. Whereas issues: read is required only by src_checkers. Luckily we can make use of the semantics of this file and specify permissions on both levels. Where the jobs.<job_id>.permissions adds or removes access as necessary only for the given job.

Ref:

Suggestion:

permissions:
  contents: read

jobs:
  src_checkers:
    name: Source checkers
    runs-on: ubuntu-latest
    permissions:
      issues: read

janekmi
janekmi approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@janekmi janekmi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @grom72)

@janekmi janekmi requested a review from grom72 September 20, 2024 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janekmi janekmi janekmi approved these changes

@grom72 grom72 Awaiting requested review from grom72

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
no changelog Add to skip the changelog check on your pull request sprint goal This pull request is part of the ongoing sprint
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@osalyk @grom72 @janekmi