-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
common: harden GitHub Actions #6113
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 17 of 17 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @osalyk)
a discussion (no related file):
DAOS uses an empty permissions: {}
by default. Can we try if it also works for us, instead of contents: read
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @grom72)
a discussion (no related file):
Previously, grom72 (Tomasz Gromadzki) wrote…
DAOS uses an empty
permissions: {}
by default. Can we try if it also works for us, instead ofcontents: read
?
Such a submission disables all access, I'm not sure we can do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 17 of 17 files at r1, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @grom72 and @osalyk)
a discussion (no related file):
Previously, osalyk (Oksana Sałyk) wrote…
Such a submission disables all access, I'm not sure we can do that.
If you do this you will have to add jobs.<job_id>.permissions
basically for all our jobs. The default permissions should be set according to what default makes sense in the project.
.github/workflows/main.yml
line 15 at r1 (raw file):
src_checkers: name: Source checkers runs-on: ubuntu-latest
contents: read
is required by all of the jobs in this file. Whereas issues: read
is required only by src_checkers
. Luckily we can make use of the semantics of this file and specify permissions
on both levels. Where the jobs.<job_id>.permissions
adds or removes access as necessary only for the given job.
Ref:
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions
Suggestion:
permissions:
contents: read
jobs:
src_checkers:
name: Source checkers
runs-on: ubuntu-latest
permissions:
issues: read
7978f5b
to
63e8359
Compare
63e8359
to
700ce7e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @grom72)
This change is