Minimize GHA permissions #261

dfarrell07 · 2022-08-24T21:06:34Z

Set the GitHub Actions token permission to null in most workflows.

This results in:

GITHUB_TOKEN Permissions
Metadata: read

The default permissions, used without the null override, are either

GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write

or

GITHUB_TOKEN Permissions
Actions: read
Checks: read
Contents: read
Deployments: read
Discussions: read
Issues: read
Metadata: read
Packages: read
Pages: read
PullRequests: read
RepositoryProjects: read
SecurityEvents: read
Statuses: read

Jobs triggered by PRs get read permissions, other jobs get write.

One job requires non-null permissions to function.

The dependent issues GHA needs PR/issues write permissions to add/remove
dependent labels. It needs status write permission to block/unblock
PRs when dependencies are missing/met. Fails with HttpError otherwise.

Signed-off-by: Daniel Farrell [email protected]

Set the GitHub Actions token permission to null in most workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are either GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write or GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read Jobs triggered by PRs get read permissions, other jobs get write. One job requires non-null permissions to function. The dependent issues GHA needs PR/issues write permissions to add/remove `dependent` labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise. Signed-off-by: Daniel Farrell <[email protected]>

submariner-bot · 2022-08-24T21:06:37Z

🤖 Created branch: z_pr261/dfarrell07/gha_min_perms
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

submariner-bot · 2022-08-25T08:47:35Z

🤖 Closed branches: [z_pr261/dfarrell07/gha_min_perms]

dfarrell07 self-assigned this Aug 24, 2022

dfarrell07 requested review from Oats87, skitt and sridhargaddam as code owners August 24, 2022 21:06

dfarrell07 requested a review from tpantelis as a code owner August 24, 2022 21:06

tpantelis approved these changes Aug 24, 2022

View reviewed changes

dfarrell07 mentioned this pull request Aug 24, 2022

Use minimum GITHUB_TOKEN permissions for each job submariner-io/submariner#1740

Closed

skitt approved these changes Aug 25, 2022

View reviewed changes

submariner-bot added the ready-to-test label Aug 25, 2022

skitt merged commit e16a2c3 into submariner-io:devel Aug 25, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Minimize GHA permissions #261

Minimize GHA permissions #261

dfarrell07 commented Aug 24, 2022

submariner-bot commented Aug 24, 2022

submariner-bot commented Aug 25, 2022

Minimize GHA permissions #261

Minimize GHA permissions #261

Conversation

dfarrell07 commented Aug 24, 2022

submariner-bot commented Aug 24, 2022

submariner-bot commented Aug 25, 2022