fix(ci): Manage secrets/permissions #3396
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| if [ -n "${{ (secrets.REPO_GPG_PASSPHRASE != '' && secrets.NIGHTLY_KEYCHAIN_PASSPHRASE != '') || '' }}" ]; then | ||
| echo "has-secrets=1" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
This is the main logic for checking for secrets
| permissions: | ||
| contents: none | ||
| outputs: | ||
| has-secrets: ${{ steps.check.outputs.has-secrets }} |
There was a problem hiding this comment.
the output then arrives here
| needs: config | ||
| if: needs.config.outputs.has-secrets |
| permissions: | ||
| contents: none |
There was a problem hiding this comment.
this job doesn't really need any permissions, so we say so.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
separately, we declare the permissions.
Afaict, this job only needs to be able to checkout.
| @@ -10,6 +10,8 @@ jobs: | |||
| build: | |||
| name: Build and Test | |||
| runs-on: macos-12 | |||
| permissions: | |||
| contents: read | |||
There was a problem hiding this comment.
afaict, the only permissions this workflow needs are to checkout, so let's be explicit (this reduces scope from the default which is much broader)
| permissions: | ||
| checks: write | ||
| pull-requests: write | ||
|
|
There was a problem hiding this comment.
I missed that this is using github.actions.listWorkflowRunArtifacts https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-artifacts-for-a-repository
| @@ -10,6 +10,8 @@ jobs: | |||
| generate-release-notes: | |||
| name: Generate Release Notes | |||
| runs-on: ubuntu-latest | |||
| permissions: | |||
| contents: write | |||
There was a problem hiding this comment.
| @@ -52,6 +54,9 @@ jobs: | |||
| create-next-milestone: | |||
| name: Create next milestone | |||
| runs-on: ubuntu-latest | |||
| permissions: | |||
| contents: read | |||
There was a problem hiding this comment.
actions/checkout needs read
| @@ -52,6 +54,9 @@ jobs: | |||
| create-next-milestone: | |||
| name: Create next milestone | |||
| runs-on: ubuntu-latest | |||
| permissions: | |||
| contents: read | |||
| issues: write | |||
There was a problem hiding this comment.
afaict creating a milestone requires issues write (I looked this up but closed the tab -- I'm not particularly happy that the action doesn't state that explicitly).
fixes #3395