Set minimal workflow permissions #53297
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
typescript-bot
added
the
For Uncommitted Bug
|
Is there a reason to do it this way as opposed to changing the global settings (on our end) to start as read-only and then explicitly grant permissions? |
jakebailey
approved these changes
Mar 16, 2023
|
So, seems like well take this, flip the repo root setting, then remove all of the top-level ones as they will be redundant. |
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
|
Sent #53298 now that the repo has changed (which reverts some of this PR); let me know if it looks good. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #53296
As per the linked issue, this PR sets top-level read-only permissions on all workflows. This reduces risks in case any workflow dependencies are compromised in a supply-chain attack.
Some of the workflows seem to require
contents: writepermissions to push directly to the repository. These have been given read-only top-level permissions and then write permissions at the job level. This is for future proofing, in case additional jobs that do not require write access are added to the workflow.