Skip to content

Commit 1642a36

Browse files
strtgbbstrtgbb
committed
remove permissions: write-all from workflows
It is dangerous that have this for untrusted workflows and trusted workflows should have it by default
1 parent 065e724 commit 1642a36

File tree

6 files changed

+7
-14
lines changed

6 files changed

+7
-14
lines changed

.github/workflows/backport_branches.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,7 @@ env:
3434
AZURE_STORAGE_ACCOUNT_URL: "https://${{ secrets.AZURE_ACCOUNT_NAME }}.blob.core.windows.net/"
3535
ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }}
3636

37-
# Allow updating GH commit statuses and PR comments to post an actual job reports link
38-
permissions: write-all
37+
3938

4039
jobs:
4140

.github/workflows/master.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,7 @@ env:
3333
AZURE_STORAGE_ACCOUNT_URL: "https://${{ secrets.AZURE_ACCOUNT_NAME }}.blob.core.windows.net/"
3434
ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }}
3535

36-
# Allow updating GH commit statuses and PR comments to post an actual job reports link
37-
permissions: write-all
36+
3837

3938
jobs:
4039

.github/workflows/pull_request.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,7 @@ env:
3434
AZURE_STORAGE_ACCOUNT_URL: "https://${{ secrets.AZURE_ACCOUNT_NAME }}.blob.core.windows.net/"
3535
ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }}
3636

37-
# Allow updating GH commit statuses and PR comments to post an actual job reports link
38-
permissions: write-all
37+
3938

4039
jobs:
4140

.github/workflows/pull_request_external.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,7 @@ env:
2121
DISABLE_CI_CACHE: ${{ github.event.inputs.no_cache || '0' }}
2222
CHECKOUT_REF: ${{ vars.DISABLE_CI_MERGE_COMMIT == '1' && github.event.pull_request.head.sha || '' }}
2323

24-
# Allow updating GH commit statuses and PR comments to post an actual job reports link
25-
permissions: write-all
24+
2625

2726
jobs:
2827

.github/workflows/release_branches.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,7 @@ env:
3333
AZURE_STORAGE_ACCOUNT_URL: "https://${{ secrets.AZURE_ACCOUNT_NAME }}.blob.core.windows.net/"
3434
ROBOT_TOKEN: ${{ secrets.ROBOT_TOKEN }}
3535

36-
# Allow updating GH commit statuses and PR comments to post an actual job reports link
37-
permissions: write-all
36+
3837

3938
jobs:
4039

ci/praktika/yaml_generator.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,10 +55,8 @@ class Templates:
5555
jobs:
5656
{JOBS}\
5757
"""
58-
TEMPLATE_GH_TOKEN_PERMISSIONS = """\
59-
# Allow updating GH commit statuses and PR comments to post an actual job reports link
60-
permissions: write-all\
61-
"""
58+
# NOTE (strtgbb): This is dangerous to set for untrusted workflows, and for trusted workflows it should already be the default
59+
TEMPLATE_GH_TOKEN_PERMISSIONS = ""
6260
TEMPLATE_ENV_CHECKOUT_REF_PR = """\
6361
GH_TOKEN: ${{{{ github.token }}}}
6462
DISABLE_CI_MERGE_COMMIT: ${{{{ vars.DISABLE_CI_MERGE_COMMIT || '0' }}}}

0 commit comments

Comments
 (0)