-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ci): Manage secrets/permissions #3396
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pull request does not contain a valid label. Please add one of the following labels: ['pr-fix', 'pr-change', 'pr-feature', 'pr-maintenance']
if [ -n "${{ (secrets.REPO_GPG_PASSPHRASE != '' && secrets.NIGHTLY_KEYCHAIN_PASSPHRASE != '') || '' }}" ]; then | ||
echo "has-secrets=1" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the main logic for checking for secrets
permissions: | ||
contents: none | ||
outputs: | ||
has-secrets: ${{ steps.check.outputs.has-secrets }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the output then arrives here
needs: config | ||
if: needs.config.outputs.has-secrets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and is checked here
permissions: | ||
contents: none |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this job doesn't really need any permissions, so we say so.
permissions: | ||
contents: read |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
separately, we declare the permissions.
Afaict, this job only needs to be able to checkout.
@@ -10,6 +10,8 @@ jobs: | |||
build: | |||
name: Build and Test | |||
runs-on: macos-12 | |||
permissions: | |||
contents: read |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
afaict, the only permissions this workflow needs are to checkout, so let's be explicit (this reduces scope from the default which is much broader)
permissions: | ||
checks: write | ||
pull-requests: write | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed that this is using github.actions.listWorkflowRunArtifacts
https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-artifacts-for-a-repository
@@ -10,6 +10,8 @@ jobs: | |||
generate-release-notes: | |||
name: Generate Release Notes | |||
runs-on: ubuntu-latest | |||
permissions: | |||
contents: write |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -52,6 +54,9 @@ jobs: | |||
create-next-milestone: | |||
name: Create next milestone | |||
runs-on: ubuntu-latest | |||
permissions: | |||
contents: read |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actions/checkout needs read
@@ -52,6 +54,9 @@ jobs: | |||
create-next-milestone: | |||
name: Create next milestone | |||
runs-on: ubuntu-latest | |||
permissions: | |||
contents: read | |||
issues: write |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
afaict creating a milestone requires issues write (I looked this up but closed the tab -- I'm not particularly happy that the action doesn't state that explicitly).
fixes #3395