Skip to content

security: add permissions block to workflows #1972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 14, 2024
Merged

security: add permissions block to workflows #1972

merged 6 commits into from
Mar 14, 2024

Conversation

@reakaleek
Copy link
Member

@reakaleek reakaleek commented Feb 17, 2024

Details

⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️

We want to set the default permissions for workflows to read-only for contents.
This is a security measure to prevent accidental changes to the repository.

This change adds a top-level permissions block to all workflows in the .github/workflows directory.

permissions:
  contents: read

In some cases workflows might need more permissions than just contents: read.
Please checkout this branch and add the necessary permissions to the workflows.

If your workflow uses a Personal Access Token (PAT), we can still add the permissions block,
but it will not have any effect.

Merging this PR as is might cause workflows that need more permissions to fail.

If there are any questions, please reach out to the @elastic/observablt-ci

@reakaleek reakaleek self-assigned this Feb 17, 2024
@reakaleek reakaleek requested a review from a team February 17, 2024 18:59
xrmx
xrmx previously approved these changes Feb 21, 2024
View reviewed changes
v1v
v1v reviewed Feb 21, 2024
View reviewed changes
v1v
v1v reviewed Feb 22, 2024
View reviewed changes
v1v
v1v reviewed Feb 22, 2024
View reviewed changes
Copy link
Member

@v1v v1v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It requires checks: write when using the test-reporter

@reakaleek @v1v
Update .github/workflows/test-reporter.yml
23f947a 
Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
@xrmx
Copy link
Member

xrmx commented Mar 12, 2024

The is a draft PR reworking the labeler workflow that is adding correct permissions too #2003

reakaleek
reakaleek commented Mar 12, 2024
View reviewed changes
@reakaleek reakaleek requested review from v1v and xrmx March 12, 2024 17:11
v1v
v1v previously approved these changes Mar 12, 2024
View reviewed changes
@reakaleek reakaleek requested a review from v1v March 14, 2024 14:14
reakaleek
reakaleek commented Mar 14, 2024
View reviewed changes
@reakaleek
Remove permissions
febb916 
This will be removed in another PR
@reakaleek reakaleek enabled auto-merge (squash) March 14, 2024 14:29
@reakaleek reakaleek merged commit d9c9020 into main Mar 14, 2024
@reakaleek reakaleek deleted the gh-oblt/add-permission-block-to-workflows branch March 14, 2024 14:36
xrmx pushed a commit that referenced this pull request Mar 20, 2024
@reakaleek @v1v @xrmx
security: add permissions block to workflows (#1972)
6155e8a 
* security: add permissions block to workflows

* Update .github/workflows/test-reporter.yml

Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>

* Update .github/workflows/labeler.yml

* Remove permissions

This will be removed in another PR

---------

Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@basepi basepi basepi left review comments

@xrmx xrmx xrmx approved these changes

@v1v v1v Awaiting requested review from v1v

Assignees

@reakaleek reakaleek

Labels

agent-python

Projects

APM-Agents (OLD)
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@reakaleek @xrmx @basepi @v1v