search

easystats / workflows

GitHub Actions for {easystats} packages
https://indrajeetpatil.github.io/preventive-r-package-care
Creative Commons Zero v1.0 Universal
8 stars 1 forks source link

Permissions for GHA #9

Closed bwiernik closed 1 year ago

bwiernik commented 1 year ago

We recently made this change on the CSL repo to improve security by limiting permissions of GHA to only what was strictly necessary. Is that something we should do on our repos as well? https://github.com/citation-style-language/styles/pull/6246

@IndrajeetPatil

IndrajeetPatil commented 1 year ago

Thanks, Brenton.

TBH, I am not too familiar with this, and so need to do a bit more research before I implement anything in our workflows, or upstream in r-lib/actions.

My implicit understanding thus far has been that, unless otherwise specified, all actions are read-only. To give write access, you need to install the app and approve write permissions (e.g. precommit).

bwiernik commented 1 year ago

Okay, yeah, CSL repo actions do writing, so if we are just reading we should be good. But do we do writing for the GitHub pages stuff?

IndrajeetPatil commented 1 year ago

Yes, but always to gh-pages branch, and no other branch. I think that's the permissions it has.

IndrajeetPatil commented 1 year ago

There is not much to do here from our end. So closing this.