Skip to content

[CI] Add token permissions for add-ready-label CI job #17730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 13, 2025
Merged

[CI] Add token permissions for add-ready-label CI job #17730

merged 1 commit into from
May 13, 2025
+2 −0

Conversation

russellb
Copy link
Member

@russellb russellb commented May 6, 2025

Potential fix for https://github.com/vllm-project/vllm/security/code-scanning/20

To fix the issue, we will add a permissions block at the workflow level to explicitly define the least privileges required for the workflow. Since the workflow uses the issues.addLabels API, it requires issues: write permission. All other permissions will be set to read or omitted entirely.

The permissions block will be added at the root level of the workflow file, ensuring it applies to all jobs in the workflow.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@russellb @github-advanced-security
[CI] Add token permissions for add-ready-label CI job
2ece868 
Signed-off-by: Russell Bryant <rbryant@redhat.com>

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions GitHub Actions
Copy link

github-actions bot commented May 6, 2025

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

@russellb russellb changed the title Potential fix for code scanning alert no. 20: Workflow does not contain permissions [CI] Add token permissions for add-ready-label CI job May 6, 2025
@russellb russellb marked this pull request as ready for review May 6, 2025 16:17
@mergify mergify bot added the ci/build label May 6, 2025
@russellb russellb enabled auto-merge (squash) May 13, 2025 12:15
@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label May 13, 2025
@russellb russellb merged commit 54e467e into main May 13, 2025
39 of 40 checks passed
@russellb russellb deleted the alert-autofix-20 branch May 13, 2025 13:38
zzzyq pushed a commit to zzzyq/vllm that referenced this pull request May 24, 2025
@russellb @github-advanced-security
[CI] Add token permissions for add-ready-label CI job (vllm-project#1…
dc191ec 
…7730)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Yuqi Zhang <yuqizhang@google.com>
minpeter pushed a commit to minpeter/vllm that referenced this pull request Jun 24, 2025
@russellb @github-advanced-security @minpeter
[CI] Add token permissions for add-ready-label CI job (vllm-project#1…
dea6382 
…7730)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: minpeter <kali2005611@gmail.com>
@tanujtiwari1998 tanujtiwari1998 mentioned this pull request Jul 8, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hmellor hmellor hmellor approved these changes

Assignees
No one assigned
Labels
ci/build ready ONLY add when PR is ready to merge/full CI is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@russellb @hmellor