-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minimize GHA permissions #470
Conversation
🤖 Created branch: z_pr470/dfarrell07/gha_min_perms |
ea96b4d
to
741b4c0
Compare
741b4c0
to
b4a8ae0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should work, we'll find out if not on m1
😄
Some weird failure on the tests when it tried to set up the qemu builder - https://github.com/submariner-io/releases/runs/8073137805?check_suite_focus=true#step:3:95 Seems to fail on |
Set the GitHub Actions token permission to null in most workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are either GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write or GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read Jobs triggered by PRs get read permissions, other jobs get write. A few jobs require non-null permissions to function. The dependent issues GHA needs PR/issues write permissions to add/remove `dependent` labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise. The release job needs permissions to publish releases on GitHub and create/edit PRs. The exact permissions for this job might need tweaking. The testing workflow already had specific permissions granted. Signed-off-by: Daniel Farrell <[email protected]>
b4a8ae0
to
511aaab
Compare
@dfarrell07 let's get it merged soon.. this seems a bit risky so we don't want to wait until the final stages of 0.14. |
CC @skitt for a re-review |
🤖 Closed branches: [z_pr470/dfarrell07/gha_min_perms] |
After submariner-io#470, the release GitHub Action workflow is failing to add labels to PRs. ``` gh pr edit --add-label e2e-all-k8s \ submariner-io/submariner#2032 GraphQL: Your token has not been granted the required scopes to execute this query. The 'login' field requires one of the following scopes: ['read:org'], but your token has only been granted the: ['admin:repo_hook', 'delete:packages', 'notifications', 'repo', 'workflow', 'write:discussion', 'write:packages'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens. INFO: Didn't label 'e2e-all-k8s', continuing without it. ``` The only explination I can find of that permisson is: > read:org Read org and team membership, read org projects I can also see that permission is a subset of admin:org. It seems to be different than `read:project Read access of projects` somehow. It's not clear which GITHUB_TOKEN permisison we can set relates to those token permissions. docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs It doesn't seem possible set all permissions to read and only some to write, as setting any specific permission overrides read-all. For now, trying the only permission that seems even vaguely related. Signed-off-by: Daniel Farrell <[email protected]>
After #470, the release GitHub Action workflow is failing to add labels to PRs. ``` gh pr edit --add-label e2e-all-k8s \ submariner-io/submariner#2032 GraphQL: Your token has not been granted the required scopes to execute this query. The 'login' field requires one of the following scopes: ['read:org'], but your token has only been granted the: ['admin:repo_hook', 'delete:packages', 'notifications', 'repo', 'workflow', 'write:discussion', 'write:packages'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens. INFO: Didn't label 'e2e-all-k8s', continuing without it. ``` The only explination I can find of that permisson is: > read:org Read org and team membership, read org projects I can also see that permission is a subset of admin:org. It seems to be different than `read:project Read access of projects` somehow. It's not clear which GITHUB_TOKEN permisison we can set relates to those token permissions. docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs It doesn't seem possible set all permissions to read and only some to write, as setting any specific permission overrides read-all. For now, trying the only permission that seems even vaguely related. Signed-off-by: Daniel Farrell <[email protected]>
Set the GitHub Actions token permission to null in most workflows.
This results in:
GITHUB_TOKEN Permissions
Metadata: read
The default permissions, used without the null override, are either
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
or
GITHUB_TOKEN Permissions
Actions: read
Checks: read
Contents: read
Deployments: read
Discussions: read
Issues: read
Metadata: read
Packages: read
Pages: read
PullRequests: read
RepositoryProjects: read
SecurityEvents: read
Statuses: read
Jobs triggered by PRs get read permissions, other jobs get write.
A few jobs require non-null permissions to function.
The dependent issues GHA needs PR/issues write permissions to add/remove
dependent
labels. It needs status write permission to block/unblockPRs when dependencies are missing/met. Fails with HttpError otherwise.
The release job needs permissions to publish releases on GitHub and
create/edit PRs. The exact permissions for this job might need tweaking.
The testing workflow already had specific permissions granted.
Signed-off-by: Daniel Farrell [email protected]