[libc++][Github] Remove workflow-scoped write permissions #126447
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice. Fixes llvm#126230.
boomanaiden154
requested review from
EricWF,
ldionne,
philnik777 and
tstellar
llvmbot
added
libc++
|
@llvm/pr-subscribers-github-workflow Author: Aiden Grossman (boomanaiden154) ChangesThis patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice. Fixes #126230. Full diff: https://github.com/llvm/llvm-project/pull/126447.diff 1 Files Affected:
diff --git a/.github/workflows/libcxx-build-containers.yml b/.github/workflows/libcxx-build-containers.yml
index 2d040f712ce592b..bb4bd8843772fba 100644
--- a/.github/workflows/libcxx-build-containers.yml
+++ b/.github/workflows/libcxx-build-containers.yml
@@ -9,7 +9,6 @@ name: Build Docker images for libc++ CI
permissions:
contents: read
- packages: write
on:
push:
|
|
@llvm/pr-subscribers-libcxx Author: Aiden Grossman (boomanaiden154) ChangesThis patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice. Fixes #126230. Full diff: https://github.com/llvm/llvm-project/pull/126447.diff 1 Files Affected:
diff --git a/.github/workflows/libcxx-build-containers.yml b/.github/workflows/libcxx-build-containers.yml
index 2d040f712ce592b..bb4bd8843772fba 100644
--- a/.github/workflows/libcxx-build-containers.yml
+++ b/.github/workflows/libcxx-build-containers.yml
@@ -9,7 +9,6 @@ name: Build Docker images for libc++ CI
permissions:
contents: read
- packages: write
on:
push:
|
tstellar
approved these changes
Feb 10, 2025
boomanaiden154
deleted the
libcxx-build-container-no-top-of-file-write-packages
branch
Icohedron
pushed a commit
to Icohedron/llvm-project
that referenced
this pull request
Feb 11, 2025
This patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice. Fixes llvm#126230.
joaosaffran
pushed a commit
to joaosaffran/llvm-project
that referenced
this pull request
Feb 14, 2025
This patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice. Fixes llvm#126230.
sivan-shani
pushed a commit
to sivan-shani/llvm-project
that referenced
this pull request
Feb 24, 2025
This patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice. Fixes llvm#126230.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice.
Fixes #126230.