Skip to content

Refine job-level permissions to enhance supply chain security #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 27, 2025
Merged

Refine job-level permissions to enhance supply chain security #92

merged 4 commits into from
Mar 27, 2025

Conversation

@Yang-33
Copy link
Contributor

@Yang-33 Yang-33 commented Mar 26, 2025
edited
Loading

Changes

This PR specifies minimal permissions on each job to reduce unnecessary access to repository contents and avoid potential security risks. By granting only the required scopes (e.g. read-only for repository contents and write access only for issues to post PR comments), we can protect the supply chain from unintended privilege escalations.

parent: line/line-bot-sdk-nodejs#1202

@github-actions
Copy link

github-actions bot commented Mar 26, 2025

JAVA

You can check generated code in java

Check the diff here

@github-actions
Copy link

github-actions bot commented Mar 26, 2025

PYTHON

You can check generated code in python

Check the diff here

@github-actions
Copy link

github-actions bot commented Mar 26, 2025

GO

You can check generated code in go

Check the diff here

@github-actions
Copy link

github-actions bot commented Mar 26, 2025

PHP

You can check generated code in php

Check the diff here

@github-actions
Copy link

github-actions bot commented Mar 26, 2025

NODEJS

You can check generated code in nodejs

Check the diff here

Yang-33
Yang-33 commented Mar 26, 2025
View reviewed changes
.github/workflows/sdk-testing.yml
language: python
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Update version in linebot/__about__.py
Copy link
Contributor Author

@Yang-33 Yang-33 Mar 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an intentional change. line/line-bot-sdk-python#710 forgot deleting these lines in this repo.

Yang-33
Yang-33 commented Mar 26, 2025
View reviewed changes
.github/workflows/sdk-testing.yml
- name: Setup PHP
uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
with:
distribution: 'temurin'
Copy link
Contributor Author

@Yang-33 Yang-33 Mar 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

distribution: 'temurin' is only for setup-java 😅 some actions may be copied from setup-java, but it's unnecessary.

@Yang-33 Yang-33 requested a review from a team March 26, 2025 12:54
@Yang-33 Yang-33 self-assigned this Mar 26, 2025
eucyt
eucyt approved these changes Mar 27, 2025
View reviewed changes
Copy link
Contributor

@eucyt eucyt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@Yang-33 Yang-33 merged commit 86780cb into main Mar 27, 2025
10 checks passed
@Yang-33 Yang-33 deleted the grant-minimum-permissions branch March 27, 2025 01:39
This was referenced Mar 27, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eucyt eucyt eucyt approved these changes

Assignees

@Yang-33 Yang-33

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Yang-33 @eucyt