MDr164
commented
8 months ago It would still require write permissions to actually allow commenting. That's why most jobs don't run right now.
Closed MDr164 closed 3 months ago
MDr164
commented
8 months ago It would still require write permissions to actually allow commenting. That's why most jobs don't run right now.
rdimitrov
commented
8 months ago Looking good 👍 Is there anything else left to do or we can merge it?
MDr164
commented
8 months ago Looking good 👍 Is there anything else left to do or we can merge it?
Please don't merge it yet. Code-wise there is nothing needed to do but as of right now it will disable the majority of the workflows due to a violation of the permissions. The whole org forbids workflows right now that have write permissions and given that we try to claim write rights on that one job it disables all associated other workflows.
I think I'm not in the position to decide a change as it will affect every repo in the org...
MDr164
commented
3 months ago I'm revisiting this PR since govulncheck 1.1.x is out but it does not seem like there is a fix for for the false positive reporting for the Go stdlib issue it will mark each run creating a lot of noise. It also doesn't seem like this behavior is configurable. Therefore I'm closing this PR given that elevating the rights for actions does not seem like a good idea and having a red-cross on every run also doesn't seem ideal.
Hm, looks like adding the write permission to that one job borks the CI so that no other jobs run. Without that permission on the govulncheck job we can't post a comment using the token generated during execution.
EDIT: This is the error:
The nested job 'govulncheck_job' is requesting 'pull-requests: write', but is only allowed 'pull-requests: none'.