Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scope down workflow permissions #12973

Closed

Conversation

jaykorean
Copy link
Contributor

@jaykorean jaykorean commented Aug 26, 2024

Summary

Followed instruction per https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defining-access-for-the-github_token-scopes

It turns out that we did not need any of these except Metadata: read.

Before

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

After

GITHUB_TOKEN Permissions
  Metadata: read

Test Plan

GitHub Actions triggered by this PR

@jaykorean jaykorean changed the title Revoke all permissions to see what fails first Scope down workflow permissions Aug 26, 2024
@jaykorean jaykorean force-pushed the scope_down_workflow_permissions branch from 748b41b to 75bf7f8 Compare August 26, 2024 19:44
@jaykorean jaykorean requested review from anand1976 and ltamasi August 26, 2024 19:50
@jaykorean jaykorean marked this pull request as ready for review August 26, 2024 19:51
@facebook-github-bot
Copy link
Contributor

@jaykorean has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@facebook-github-bot
Copy link
Contributor

@jaykorean has updated the pull request. You must reimport the pull request before landing.

@facebook-github-bot
Copy link
Contributor

@jaykorean has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

Copy link
Member

@cbi42 cbi42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nightly jobs are probably not triggered by this PR?

@jaykorean
Copy link
Contributor Author

@cbi42 Correct. It is scheduled by cron (cron: 0 9 * * * - 9AM every day) or can be triggered manually (workflow_dispatch).

@cbi42
Copy link
Member

cbi42 commented Aug 26, 2024

@cbi42 Correct. It is scheduled by cron (cron: 0 9 * * * - 9AM every day) or can be triggered manually (workflow_dispatch).

I see. We can monitor the next run just to make sure.

@facebook-github-bot
Copy link
Contributor

@jaykorean merged this pull request in 0082907.

@jaykorean jaykorean deleted the scope_down_workflow_permissions branch August 26, 2024 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants