Set minimal workflow token permissions #2773
Conversation
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
There was a problem hiding this comment.
Thanks for the changes @pnacht, they seem very useful and I'll probably apply this to other projects I maintain.
I left a very small question, but otherwise LGTM. I'd also like to chase that pipeline failure before merging -- it seems unrelated, but since your changes touch exactly this infrastructure I'd like to get all tests passing correctly and make surr nothing really breaks.
Yeah, I'm pretty sure this is unrelated, but I've just pushed a commit that undoes the change to main.yml. Feel free to approve the workflow to test this again. If it still fails, I'll re-apply the read-only token permissions). EDIT: Nevermind, I've unpushed that commit. Instead, please see this PR on my fork. The test is failing even though the workflow workflow is unchanged on my main branch (3.12). |
c3813ab to
71fddb6
Compare
|
Thanks again @pnacht for the changes! |
Fixes #2772.
This PR sets top-level read-only permissions on all CI/CD workflows. Jobs that require additional permissions (
stale.ymlandpr-comment.yml) are given them at the job-level.I made more significant changes in
pr-comment.yml. It is vulnerable to code injection, since it runs files controlled by the PR author (requirements.txtandscripts/list_missing_entries.py, taken from the PR). I have therefore modified the workflow to checkout those files from the base branch instead, ensuring we're running trusted versions of those files.And in order to minimize the code that has access to the
issues/pull-requests: writepermissions, I have separated the workflow into two sequential jobs:define-comment, which is unprivileged and does almost everythingwrite-comment, which has those additional permissions and uses them to perform the very last step of actually writing the comment on the PR.