[GitHub] Set top level token permission #87326
Conversation
|
@llvm/pr-subscribers-github-workflow Author: Marius Brehler (marbre) ChangesFull diff: https://github.com/llvm/llvm-project/pull/87326.diff 1 Files Affected:
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 10b18f245d8965..983838858ba43e 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -1,4 +1,8 @@
name: "Check code formatting"
+
+permissions:
+ contents: read
+
on:
pull_request:
branches:
|
|
Without explicitly setting the token permission, the default (read/write for all scopes) kicks in, if not changed for the entire repo, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token. |
|
This seems reasonable of course, but as always with these kinds of changes - It's really hard to test ahead of time to make sure it doesn't break anything. Have you tested this in your fork? |
So far I've checked what actions are used within the workflow, but this cannot be considered at testing ahead. I had in mind that this workflow isn't that critical and that it is partly ignored (if I remember one of the pre-merge check discussions correctly). However, I converted this PR to a draft PR and will take a closer look and test within my fork. |
|
@marbre Are you planning to commit this? |
After @tru's feedback I planned to take a more careful look before commiting this. Unfortunately, I had other things on my list last week and I am currently at EuroLLVM. |
|
Now that we are using the pull_request event for the code format job, any changes to it will get tested in the job that is triggered by this PR, so this has already been tested. |
No description provided.