search

submariner-io / enhancements

Enhancement proposals for Submariner projects.
https://submariner.io/
Apache License 2.0
5 stars 24 forks source link

Minimize GHA permissions #131

Closed dfarrell07 closed 2 years ago

dfarrell07 commented 2 years ago

Set the GitHub Actions token permission to null in most workflows.

This results in:

GITHUB_TOKEN Permissions Metadata: read

The default permissions, used without the null override, are either

GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write

or

GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read

Jobs triggered by PRs get read permissions, other jobs get write.

One job require non-null permissions to function.

The dependent issues GHA needs PR/issues write permissions to add/remove dependent labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise.

Signed-off-by: Daniel Farrell dfarrell@redhat.com

submariner-bot commented 2 years ago

🤖 Created branch: z_pr131/dfarrell07/gha_min_perms

submariner-bot commented 2 years ago

🤖 Closed branches: [z_pr131/dfarrell07/gha_min_perms]