Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set top-level read-only workflow permissions #6775

Merged
merged 2 commits into from
Nov 9, 2023
Merged

Set top-level read-only workflow permissions #6775

merged 2 commits into from
Nov 9, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Nov 8, 2023
edited
Loading

Fixes #6774.

As mentioned in the issue, this PR adds top-level read-only permissions to coverage.yml, ensuring it can't be used for supply-chain attacks on the repo.

I've also made a few similar changes to the other workflows, mostly just setting write permissions at job-level instead of top-level. This serves to future-proof the workflows in case new jobs (that don't need those permissions) are added to the workflows. However, this change has no immediate impact to those workflows' security: the tokens effectively used in those jobs are unchanged.

RELEASE NOTES: None

pnacht added 2 commits November 8, 2023 17:11
@pnacht
Add read-only token to coverage.yml
4b36065 
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
@pnacht
Future-proof: top-level read-only tokens elsewhere
8cb6438 
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Nov 8, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: pnacht / name: Pedro Kaj Kjellerup Nacht (4b36065, 8cb6438)

@codecov Codecov
Copy link

codecov bot commented Nov 8, 2023

Codecov Report

Merging #6775 (8cb6438) into master (482de22) will decrease coverage by 0.10%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6775      +/-   ##
==========================================
- Coverage   83.40%   83.31%   -0.10%     
==========================================
  Files         285      285              
  Lines       30966    30966              
==========================================
- Hits        25828    25798      -30     
- Misses       4068     4087      +19     
- Partials     1070     1081      +11

see 21 files with indirect coverage changes

@arvindbr8
Copy link
Member

@pnacht -- Thanks for the PR. Also thanks for bringing this to our notice.

The diff looks good to me, however you might have to get your account auth'd by a signed CLA. Just follow the steps here.

arvindbr8
arvindbr8 approved these changes Nov 8, 2023
View reviewed changes
Copy link
Member

@arvindbr8 arvindbr8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@dfawley: Could you PTAL as well?

@arvindbr8 arvindbr8 requested a review from dfawley November 8, 2023 17:48
@arvindbr8 arvindbr8 added this to the 1.60 Release milestone Nov 9, 2023
dfawley
dfawley approved these changes Nov 9, 2023
View reviewed changes
Copy link
Member

@dfawley dfawley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix!

@dfawley dfawley merged commit eb46b7d into grpc:master Nov 9, 2023
13 checks passed
@pnacht pnacht mentioned this pull request Dec 7, 2023
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dfawley dfawley dfawley approved these changes

@arvindbr8 arvindbr8 arvindbr8 approved these changes

Assignees

@dfawley dfawley

Labels
Type: Meta Github repo, process, etc
Projects
None yet
Milestone
1.60 Release
Development

Successfully merging this pull request may close these issues.

Set coverage.yml workflow to run with read-only tokens
3 participants
@pnacht @arvindbr8 @dfawley