-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GitHub] Set top level token permission #87326
Conversation
@llvm/pr-subscribers-github-workflow Author: Marius Brehler (marbre) ChangesFull diff: https://github.com/llvm/llvm-project/pull/87326.diff 1 Files Affected:
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 10b18f245d8965..983838858ba43e 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -1,4 +1,8 @@
name: "Check code formatting"
+
+permissions:
+ contents: read
+
on:
pull_request:
branches:
|
Without explicitly setting the token permission, the default (read/write for all scopes) kicks in, if not changed for the entire repo, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token. |
This seems reasonable of course, but as always with these kinds of changes - It's really hard to test ahead of time to make sure it doesn't break anything. Have you tested this in your fork? |
So far I've checked what actions are used within the workflow, but this cannot be considered at testing ahead. I had in mind that this workflow isn't that critical and that it is partly ignored (if I remember one of the pre-merge check discussions correctly). However, I converted this PR to a draft PR and will take a closer look and test within my fork. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I agree with your analysis that this shouldn't fail by changing this, but always good to test. Getting the test setup working can be a little difficult, so if you run into any non-trivial issues, let me now and hopefully I can assist.
@marbre Are you planning to commit this? |
After @tru's feedback I planned to take a more careful look before commiting this. Unfortunately, I had other things on my list last week and I am currently at EuroLLVM. |
Now that we are using the pull_request event for the code format job, any changes to it will get tested in the job that is triggered by this PR, so this has already been tested. |
No description provided.