Add more permissions #26
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,9 +4,14 @@ on: | |
| issue_comment: | ||
| types: [created] # Add "smoke test" as a PR comment to trigger this workflow. | ||
|
|
||
| # Permissions needed for reacting and adding comments for IssueOps commands | ||
| # See: https://github.com/github/branch-deploy/blob/48285b12b35e47e2dde0c27d2abb33daa846d98b/README.md?plain=1#L189-L197 | ||
| permissions: | ||
| pull-requests: write # Required for commenting on PRs | ||
| deployments: write # Required for updating deployment statuses | ||
| contents: write # Required for reading/writing the lock file | ||
|
Contributor
There was a problem hiding this comment. This makes me wonder if we really need the workflow. On one hand it is carefully reviewed IssueOps, on the other hand it is a potentially untrusted code running with high privileges...
Contributor
There was a problem hiding this comment. Or trigger it only on release or push instead of issue comment? The tests are running on the base code and not head anyway, so I don't see why it should be on issue comment. And if it runs on head then we definitely need to restrict it. It's not very clear to me when we want to run this workflow.
Collaborator
Author
There was a problem hiding this comment. The idea is that the branch-deploy action makes this safe to trigger with an issue comment. It's the solution that we've been recommending to other open source maintainers. I intended this to run on the code from the PR, not the base code. That was a mistake.
Contributor
There was a problem hiding this comment. Good catch, I didn't notice it checkouts the main instead of
Collaborator
Author
There was a problem hiding this comment. It's for testing that the examples still work. It needs the
Collaborator
Author
There was a problem hiding this comment. I've updated it to use |
||
| checks: read # Required for checking if the CI checks have passed in order to deploy the PR | ||
| statuses: read # Required for checking if all commit statuses are "success" in order to deploy the PR | ||
|
|
||
| jobs: | ||
| Linux: | ||
|
|
@@ -19,14 +24,17 @@ jobs: | |
| trigger: "smoke test" | ||
| reaction: "eyes" | ||
| stable_branch: "main" | ||
| update_branch: "disable" | ||
|
|
||
| - name: Setup Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.11' | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
|
|
||
| - name: Setup Python venv | ||
| run: | | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[nitpick] The comment states 'reading/writing' but the permission is 'write'. Consider clarifying that 'write' permission includes read access, or simplify to 'Required for writing the lock file' to match the permission level.