Update main.yml permissions #439
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Joyce <joycebrum@google.com>
|
Superseded by jaraco/skeleton#76. |
|
Just a comment: although the used workflow have its permissions set to minimal scope, since is this workflow that creates the GITHUB_TOKEN, to all other commands/workflows it will have the write-all permission if no permission is set on the yml file. I believe this PR would still be an add to supply-chain security, if possible, please reconsider. Thanks! |
|
@joycebrum the change was merged into https://github.com/jaraco/skeleton, and this repo was updated to the latest skeleton version, so your change already got pulled 😅 https://github.com/python/importlib_metadata/commits/main |
|
Aaaah my bad. I didn't noticed it worked like that 😅. Thanks for the explanation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Closes #438
Looking at tox documentation, it does not seem to need id-token. Also I've looked into https://github.com/jaraco/jaraco.develop/blob/main/jaraco/develop/create-github-release.py and the permissions seems to be only
metadata: read(which is always read) andcontents: write(granted to the job).The other jobs seems to need only contents read, but I wasn't able to check due to test failings.
See what you think and if I may be missing something.