New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add missing permissions #1343
ci: add missing permissions #1343
Conversation
@@ -7,11 +7,6 @@ on: | |||
paths-ignore: | |||
- '**.md' | |||
- 'docs/**' | |||
# Grant permissions to obtain federated identity credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know very little about these permissions, but would removing them from the workflow level not mean that no jobs have the permissions, except Check-Cloud-Environment
and Upload-Test-Report
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paullatzelsperger by default the permissions provided by GITHUB-TOKEN
are used, permissions
permit to add or remove access.
In my opinion setting them at the global level was not the best choice, since every job should have their custom permissions set.
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
permissions: | ||
id-token: write | ||
contents: read | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These permissions are required for reading secrets during Azure-Cloud-Integration-Test
job.
So maybe we can leave these ones at the top same as before and just add the additional required ones to Upload-Test-Report
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cpeeyush since these are required only by Azure-Cloud-Integration-Test
job why don't add them only on that job?
Setting these globally caused the issue, using global settings is not a good practice since these permissions are needed by 2 jobs out of 20.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, agree. Let's try this on main once it merged to see if we see any failure. As @paullatzelsperger mentioned. Thanks.
Can one of the admins verify this patch? |
Codecov Report
@@ Coverage Diff @@
## main #1343 +/- ##
=======================================
Coverage 67.60% 67.60%
=======================================
Files 716 716
Lines 15858 15858
Branches 1041 1041
=======================================
Hits 10721 10721
Misses 4663 4663
Partials 474 474 Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we'll see if this works once we merge to upstream main
, because the Azure Integration tests will only run there, because it depends on the secrets (which only are configured in upstream)
permissions: | ||
id-token: write | ||
contents: read | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, agree. Let's try this on main once it merged to see if we see any failure. As @paullatzelsperger mentioned. Thanks.
What this PR changes/adds
Add write permissions to
checks
anpull-requests
on CIWhy it does that
To make
Upload-Test-Report
job workFurther notes
Linked Issue(s)
Closes #1329
Checklist
no-changelog
)