jaraco
commented
1 year ago Superseded by jaraco/skeleton#76.
Closed joycebrum closed 1 year ago
jaraco
commented
1 year ago Superseded by jaraco/skeleton#76.
joycebrum
commented
1 year ago Just a comment: although the used workflow have its permissions set to minimal scope, since is this workflow that creates the GITHUB_TOKEN, to all other commands/workflows it will have the write-all permission if no permission is set on the yml file.
I believe this PR would still be an add to supply-chain security, if possible, please reconsider.
Thanks!
FFY00
commented
1 year ago @joycebrum the change was merged into https://github.com/jaraco/skeleton, and this repo was updated to the latest skeleton version, so your change already got pulled :sweat_smile:
https://github.com/python/importlib_metadata/commits/main https://github.com/python/importlib_metadata/commit/109f8c09ddb4904dc3f83307473520b2250ccb30
joycebrum
commented
1 year ago Aaaah my bad. I didn't noticed it worked like that 😅. Thanks for the explanation.
Changes
Closes #438
Looking at tox documentation, it does not seem to need id-token. Also I've looked into https://github.com/jaraco/jaraco.develop/blob/main/jaraco/develop/create-github-release.py and the permissions seems to be only
metadata: read(which is always read) andcontents: write(granted to the job).The other jobs seems to need only contents read, but I wasn't able to check due to test failings.
See what you think and if I may be missing something.