Skip to content

security: add permissions block to workflows #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 22, 2024
Merged

security: add permissions block to workflows #109

merged 1 commit into from
Feb 22, 2024

Conversation

reakaleek
Copy link
Member

Details

⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️

We want to set the default permissions for workflows to read-only for contents.
This is a security measure to prevent accidental changes to the repository.

This change adds a top-level permissions block to all workflows in the .github/workflows directory.

permissions:
  contents: read

In some cases workflows might need more permissions than just contents: read.
Please checkout this branch and add the necessary permissions to the workflows.

If your workflow uses a Personal Access Token (PAT), we can still add the permissions block,
but it will not have any effect.

Merging this PR as is might cause workflows that need more permissions to fail.

If there are any questions, please reach out to the @elastic/observablt-ci

@reakaleek reakaleek self-assigned this Feb 17, 2024
@reakaleek reakaleek requested a review from a team February 17, 2024 19:12
v1v
v1v reviewed Feb 22, 2024
View reviewed changes
.github/workflows/addToProject.yml
@@ -7,6 +7,9 @@ on:
env:
MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}

permissions:
contents: read
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uses MY_GITHUB_TOKEN

v1v
v1v reviewed Feb 22, 2024
View reviewed changes
.github/workflows/labeler.yml
@@ -7,6 +7,9 @@ on:
env:
MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}

permissions:
contents: read
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uses APM_TECH_USER_TOKEN

@v1v v1v merged commit dfd960f into main Feb 22, 2024
@v1v v1v deleted the gh-oblt/add-permission-block-to-workflows branch February 22, 2024 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@basepi basepi basepi approved these changes

@v1v v1v v1v approved these changes

Assignees

@reakaleek reakaleek

Labels
agent-python
Projects
APM-Agents (OLD)
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@reakaleek @basepi @v1v