Describe the enhancement
Some workflows use overly broad permissions or pass all secrets to called workflows via secrets: inherit. These should be tightened to follow the principle of least privilege.
Permissions
.github/workflows/package_linux.yml has contents: write at the workflow level — this should be scoped to the specific job that needs it.
Secret inheritance
The following workflows pass all secrets to reusable workflows via secrets: inherit instead of explicitly listing required secrets:
.github/workflows/cpp_extra.yml (2 instances).github/workflows/cuda_extra.yml (2 instances).github/workflows/package_linux.yml (2 instances).github/workflows/python.yml.github/workflows/r.yml
Component(s)
Continuous Integration
Describe the enhancement
Some workflows use overly broad permissions or pass all secrets to called workflows via
secrets: inherit. These should be tightened to follow the principle of least privilege.Permissions
.github/workflows/package_linux.ymlhascontents: writeat the workflow level — this should be scoped to the specific job that needs it.Secret inheritance
The following workflows pass all secrets to reusable workflows via
secrets: inheritinstead of explicitly listing required secrets:.github/workflows/cpp_extra.yml(2 instances).github/workflows/cuda_extra.yml(2 instances).github/workflows/package_linux.yml(2 instances).github/workflows/python.yml.github/workflows/r.ymlComponent(s)
Continuous Integration