Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: reduce the permissions for github actions jobs #375

Merged
merged 9 commits into from
Dec 13, 2024
Merged

Conversation

zimeg
Copy link
Member

@zimeg zimeg commented Dec 13, 2024

Summary

Small update to avoid persisting git credentials between steps of an action, and reduces the permissions of each $GITHUB_TOKEN to the minimum required.

This makes no changes to how the $GITHUB_TOKEN can be accessed from the workflow!

Preview

These changes were tested on a forked main:

Requirements

@zimeg zimeg added security semver:patch github_actions Pull requests that update GitHub Actions code labels Dec 13, 2024
@zimeg zimeg added this to the 2.1 milestone Dec 13, 2024
@zimeg zimeg requested review from WilliamBergamin and a team December 13, 2024 19:50
@zimeg zimeg self-assigned this Dec 13, 2024
Copy link
Member Author

@zimeg zimeg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📝 A few notes for the reviewers!

@@ -226,7 +229,7 @@ jobs:
- name: "chore(health): check up on recent changes to the health score"
uses: slackapi/slack-health-score@v0.1.1
with:
codecov_token: ${{ secrets.CODECOV_TOKEN }}
codecov_token: ${{ secrets.CODECOV_API_TOKEN }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was changed to be an API token and has been added as a secret- https://github.com/slackapi/slack-health-score/?tab=readme-ov-file#api-tokens

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh and this was changed because the standard upload token was being used: https://github.com/slackapi/slack-github-action/actions/runs/12173268802/job/33953505599#step:31:257

I don't think the testing workflow in this PR will show an update due to pull_request_target, but I'm optimistic with this change working here 🙏

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO the default permissions are alright on a "development" workflow that's only run for experimenting with changes 🔍

Open to updating this however though!

Copy link

codecov bot commented Dec 13, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.70%. Comparing base (4879c43) to head (d584e53).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #375   +/-   ##
=======================================
  Coverage   99.70%   99.70%           
=======================================
  Files           6        6           
  Lines         669      669           
=======================================
  Hits          667      667           
  Misses          2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@WilliamBergamin WilliamBergamin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this 💯

All these changes look like improvements to me

@zimeg
Copy link
Member Author

zimeg commented Dec 13, 2024

@WilliamBergamin and thanks for suggesting these changes! I'm hoping these are all positive changes so going to merge this now but will be sure to follow up if regressions are noticed 🙏 ✨

@zimeg zimeg merged commit 6a5a811 into slackapi:main Dec 13, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
github_actions Pull requests that update GitHub Actions code security semver:patch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants