chore(ci): change token permissions #20123
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Record PR details | |
# PROCESS | |
# | |
# 1. Runs in fork location upon PR creation or changes | |
# 2. Saves GitHub Pull Request Webhook payload | |
# 3. Uploads as a temporary GitHub Action Artifact with shortest retention | |
# USAGE | |
# | |
# see .github/workflows/on_merged_pr.yml and related for full example. | |
# | |
# on: | |
# workflow_run: | |
# workflows: ["Record PR details"] | |
# types: | |
# - completed | |
# | |
# Security Note: | |
# | |
# For security, this is intended to be a 2-step process: (1) collect PR, (2) act on PR. | |
# Do not ever use `pull_request_target` to "simplify", as it sends a write-token to the fork. Our linter should catch it. | |
# | |
# The first step runs in untrusted location (fork), therefore we limit permissions to only check out code. | |
# | |
# The second step will be workflows that want to act on a given PR, this time with intended permissions, and | |
# it runs on its base location (this repo!). | |
# | |
# This enforces zero trust where this workflow always runs on fork with zero permissions on GH_TOKEN. | |
# When this workflow completes, X workflows run in our repository with the appropriate permissions and sanitize inputs. | |
# | |
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, | |
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. | |
on: | |
pull_request: | |
types: [opened, edited, closed, labeled] | |
permissions: | |
contents: read | |
jobs: | |
record_pr: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read # NOTE: treat as untrusted location | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: "Extract PR details" | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const script = require('.github/scripts/save_pr_details.js') | |
await script({github, context, core}) | |
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
with: | |
name: pr | |
path: pr.txt | |
retention-days: 1 |