-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Set the GitHub Actions token permission to null in most workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are either GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write or GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read Jobs triggered by PRs get read permissions, other jobs get write. A few jobs require non-null permissions to function. The dependent issues GHA needs PR/issues write permissions to add/remove `dependent` labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise. The release job needs permissions to publish releases on GitHub and create/edit PRs. The exact permissions for this job might need tweaking. The testing workflow already had specific permissions granted. Signed-off-by: Daniel Farrell <[email protected]>
- Loading branch information
1 parent
5345536
commit b4a8ae0
Showing
8 changed files
with
23 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,8 @@ name: Branch Checks | |
on: | ||
pull_request: | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
target_branch: | ||
name: PR targets branch | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,6 +7,8 @@ on: | |
- 'CODEOWNERS' | ||
- 'CODEOWNERS.in' | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
updated: | ||
name: Up-to-date | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,8 @@ name: End to End Tests | |
on: | ||
pull_request: | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
e2e: | ||
name: E2E | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,8 @@ name: Validation | |
on: | ||
pull_request: | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
yamls: | ||
name: Release YAMLs | ||
|