-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: reduce the permissions for github actions jobs #375
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 A few notes for the reviewers!
@@ -226,7 +229,7 @@ jobs: | |||
- name: "chore(health): check up on recent changes to the health score" | |||
uses: slackapi/slack-health-score@v0.1.1 | |||
with: | |||
codecov_token: ${{ secrets.CODECOV_TOKEN }} | |||
codecov_token: ${{ secrets.CODECOV_API_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was changed to be an API token and has been added as a secret- https://github.com/slackapi/slack-health-score/?tab=readme-ov-file#api-tokens
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh and this was changed because the standard upload token was being used: https://github.com/slackapi/slack-github-action/actions/runs/12173268802/job/33953505599#step:31:257
I don't think the testing workflow in this PR will show an update due to pull_request_target
, but I'm optimistic with this change working here 🙏
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO the default permissions are alright on a "development" workflow that's only run for experimenting with changes 🔍
Open to updating this however though!
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #375 +/- ##
=======================================
Coverage 99.70% 99.70%
=======================================
Files 6 6
Lines 669 669
=======================================
Hits 667 667
Misses 2 2 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for looking into this 💯
All these changes look like improvements to me
@WilliamBergamin and thanks for suggesting these changes! I'm hoping these are all positive changes so going to merge this now but will be sure to follow up if regressions are noticed 🙏 ✨ |
Summary
Small update to avoid persisting
git
credentials between steps of an action, and reduces the permissions of each$GITHUB_TOKEN
to the minimum required.This makes no changes to how the
$GITHUB_TOKEN
can be accessed from the workflow!Preview
These changes were tested on a forked
main
:develop.yml
: No changes!publish.yml
: https://github.com/zimeg/slack-github-action/actions/runs/12321675869/job/34394241333test.yml
: https://github.com/zimeg/slack-github-action/actions/runs/12321990320/job/34394566023Requirements