-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(permissions): set explicit write permission requests with restrictive GITHUB_TOKEN #1635
Conversation
af3af62
to
456e413
Compare
Opps I spoke too soon :(( From this run, seems like we are also using permissive mode and the token already has Seems like we need some more work to migrate from PAT to |
If the above is true, should we also change the default scope of |
Okay, I updated the package settings so that the Actions runners within this source repo should also have access to the corresponding container registry repo. The token should be read-only unless it's being used specifically by an action/workflow step that actually requires write access to something (like the final push step). |
Sounds good! I will do some more research into actions and figure out the permissions. Marked as draft. |
22b7061
to
39d083a
Compare
Sample runs: tthvo#36 No changes to push event except release drafter. All pull request workflows seem to work fine. I also remove autolabel option for Some workflows:
need to run After this, we can select Read Only option as seen here: https://user-images.githubusercontent.com/68053619/263415796-2bd41f11-cc3d-418c-9f11-2fe37bff890b.png |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request blocked. web-client
submodule updates are performed automatically by CI when that repository is updated. Please revert or drop all changes to the web-client
submodule from this PR and perform any required frontend work by opening and merging a PR against cryostat-web.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request blocked. web-client
submodule updates are performed automatically by CI when that repository is updated. Please revert or drop all changes to the web-client
submodule from this PR and perform any required frontend work by opening and merging a PR against cryostat-web.
Image cleanup is silently failing due "Not found" error (tho, already added |
It failed silently while trying to find all images that match the expression (i.e. 404). Tried setting all permissions to I believe if the credentials are invalid, we will see There are issues:
So, I can't verify the use of |
This run uses a PAT that has |
We can try merging this to |
Needs a rebase first. |
Sounds good!! |
…ive GITHUB_TOKEN (#1635)
Welcome to Cryostat! 👋
Before contributing, make sure you have:
main
branch[chore, ci, docs, feat, fix, test]
To recreate commits with GPG signature
git fetch upstream && git rebase --force --gpg-sign upstream/main
Related to #1599
Description of the change:
Explicitly specify
package:write
(for push) permission. This would also mean other permissions that are listed for this job are denied.We should implement strict permission requests in #1634 after taking in consideration of third-party actions. Also, some scope might enclose other scopes.