Closed jglick closed 1 year ago
this is what's setup at the org level: https://github.com/organizations/jenkinsci/settings/actions
I haven't seen anything related to this kind of change either.
FTR, here is the current settings on @jenkins-infra org:
:shrug: I am checking whether this is something I can correct in the repo’s .github/workflows/cd.yaml
…
I've created a new repo for check on @jenkins-infra, FWIW the setting is correctly inherited: https://github.com/jenkins-infra/test-repo-check-action-workflow-default-permission/settings/actions
Well this was not a new repo, it was an old repo with Actions newly enabled.
About the ci.jenkins.io GitHub app, the only recent change I can think of was me adding a @jenkins-infra repository to the 101 @jenkins-infra ones it has access to, cf https://github.com/jenkins-infra/helpdesk/issues/3409#issuecomment-1446929239
As far as I know, it has access to all @jenkinsci repositories:
o interesting you can close cross-org now
Re jenkinsci/secure-requester-whitelist-plugin
, I'm pretty sure this was me when I played with the corresponding metadata in Jenkins Security Scan.
Ah! Well, it is still a good practice to explicitly declare the expected permissions—means this workflow should run regardless of how a particularly repository is set up.
https://github.com/jenkinsci/secure-requester-whitelist-plugin/actions/runs/4294658824 for example. https://github.com/jenkinsci/secure-requester-whitelist-plugin/settings/actions shows Workflow permissions set to Read repository contents and packages permissions, not Read and write permissions as in other CD-enabled repos. I think we now need to set
permissions
as per https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token. I am confused since https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/ saysso was this changed in @jenkinsci recently? CC @lemeurherve @timja