Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes to set minimum token permissions for the GITHUB_TOKEN in yaml files #779

Merged
merged 1 commit into from
Dec 17, 2023
Merged

Changes to set minimum token permissions for the GITHUB_TOKEN in yaml files #779

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/helm_chart_release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,13 @@ on:
paths:
- "charts/**"

permissions:
contents: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm what's the effect of this if the only job bumps its permissions to write? Just covering our bases when/if another job is added?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the top-level permissions tag will only provide minimum access which can be overridden by job-level permissions tag. It is placed as a security measure.
Adding reference for this: Assigning permissions to jobs


jobs:
release:
permissions:
contents: write # for helm/chart-releaser-action to push chart release and create a release
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -25,4 +30,4 @@ jobs:
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
config: .github/cr.yaml
config: .github/cr.yaml
3 changes: 3 additions & 0 deletions .github/workflows/tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
paths:
- version.txt

permissions:
contents: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one needs write, because it has to git push the new tag

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is just to set the minimum default access as read for all jobs in the workflow. I think it will not affect the existing job since we already have a job specific write permission for that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I didn't notice the job's config, thanks.


jobs:
tag:
if: ${{ github.repository == 'kubernetes/cloud-provider-aws' }}
Expand Down
Loading