Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope down workflow permissions #12973

Closed
wants to merge 3 commits into from
Closed

Scope down workflow permissions #12973

wants to merge 3 commits into from
+10 −6

Conversation

jaykorean
Copy link
Contributor

@jaykorean jaykorean commented Aug 26, 2024
edited
Loading

Summary

Followed instruction per https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defining-access-for-the-github_token-scopes

It turns out that we did not need any of these except Metadata: read.

Before

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

After

GITHUB_TOKEN Permissions
  Metadata: read

Test Plan

GitHub Actions triggered by this PR

@jaykorean jaykorean changed the title Revoke all permissions to see what fails first Scope down workflow permissions Aug 26, 2024
@jaykorean jaykorean force-pushed the scope_down_workflow_permissions branch from 748b41b to 75bf7f8 Compare August 26, 2024 19:44
@jaykorean jaykorean requested review from anand1976 and ltamasi August 26, 2024 19:50
@jaykorean jaykorean marked this pull request as ready for review August 26, 2024 19:51
@facebook-github-bot
Copy link
Contributor

@jaykorean has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@facebook-github-bot
Copy link
Contributor

@jaykorean has updated the pull request. You must reimport the pull request before landing.

@facebook-github-bot
Copy link
Contributor

@jaykorean has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

cbi42
cbi42 approved these changes Aug 26, 2024
View reviewed changes
Copy link
Member

@cbi42 cbi42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nightly jobs are probably not triggered by this PR?

@jaykorean
Copy link
Contributor Author

@cbi42 Correct. It is scheduled by cron (cron: 0 9 * * * - 9AM every day) or can be triggered manually (workflow_dispatch).

@cbi42
Copy link
Member

cbi42 commented Aug 26, 2024

@cbi42 Correct. It is scheduled by cron (cron: 0 9 * * * - 9AM every day) or can be triggered manually (workflow_dispatch).

I see. We can monitor the next run just to make sure.

@facebook-github-bot
Copy link
Contributor

@jaykorean merged this pull request in 0082907.

@jaykorean jaykorean deleted the scope_down_workflow_permissions branch August 26, 2024 23:37
@jaykorean jaykorean mentioned this pull request Feb 10, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbi42 cbi42 cbi42 approved these changes

@anand1976 anand1976 Awaiting requested review from anand1976

@ltamasi ltamasi Awaiting requested review from ltamasi

Assignees
No one assigned
Labels
CLA Signed Merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jaykorean @facebook-github-bot @cbi42