Skip to content

ci: add GitHub token permissions for workflow #6106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

ci: add GitHub token permissions for workflow #6106

wants to merge 1 commit into from

Conversation

varunsh-coder
Copy link
Contributor

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

@varunsh-coder
ci: add GitHub token permissions for workflow
ddaf0a9 
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
@varunsh-coder varunsh-coder mentioned this pull request Jul 11, 2022
Open
@copybara-service copybara-service bot mentioned this pull request Jul 13, 2022
Closed
copybara-service bot pushed a commit that referenced this pull request Jul 13, 2022
@cgdecker
ci: add GitHub token permissions for workflow
50f4fb0 
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

Closes #6106

RELNOTES=n/a
PiperOrigin-RevId: 460729188
@varunsh-coder varunsh-coder mentioned this pull request Jul 28, 2022
Open
32 tasks
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
copybara-service bot pushed a commit to google/jimfs that referenced this pull request Sep 3, 2025
@cpovirk
Attempt to fix Javadoc snapshots:
2d71746 
- google/truth#1413
- google/auto#1900
- #401

Compare cl/460733976 from google/guava#6106. I notice that that earlier CL also added a `permissions` section for the `test` job, both for reading (for `actions/checkout`) and for writing (for `styfle/cancel-workflow-action`, which apparently [we probably shouldn't be using nowadays](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#:~:text=You%20probably%20don%27t%20need%20to%20install%20this%20custom%20action) and which [might not even need the explicit permissions](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#advanced-token-permissions)?). I'm not worrying about that for now, but that offers further evidence that I have no idea what I'm doing here.

RELNOTES=n/a
PiperOrigin-RevId: 802304800
copybara-service bot pushed a commit to google/truth that referenced this pull request Sep 3, 2025
@cpovirk
Attempt to fix Javadoc snapshots:
9574240 
- #1413
- google/auto#1900
- google/jimfs#401

Compare cl/460733976 from google/guava#6106. I notice that that earlier CL also added a `permissions` section for the `test` job, both for reading (for `actions/checkout`) and for writing (for `styfle/cancel-workflow-action`, which apparently [we probably shouldn't be using nowadays](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#:~:text=You%20probably%20don%27t%20need%20to%20install%20this%20custom%20action) and which [might not even need the explicit permissions](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#advanced-token-permissions)?). I'm not worrying about that for now, but that offers further evidence that I have no idea what I'm doing here.

RELNOTES=n/a
PiperOrigin-RevId: 802304800
This was referenced Sep 3, 2025
Merged
Merged
copybara-service bot pushed a commit to google/auto that referenced this pull request Sep 3, 2025
@cpovirk
Attempt to fix Javadoc snapshots:
e066358 
- google/truth#1413
- #1900
- google/jimfs#401

Compare cl/460733976 from google/guava#6106. I notice that that earlier CL also added a `permissions` section for the `test` job, both for reading (for `actions/checkout`) and for writing (for `styfle/cancel-workflow-action`, which apparently [we probably shouldn't be using nowadays](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#:~:text=You%20probably%20don%27t%20need%20to%20install%20this%20custom%20action) and which [might not even need the explicit permissions](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#advanced-token-permissions)?). I'm not worrying about that for now, but that offers further evidence that I have no idea what I'm doing here.

RELNOTES=n/a
PiperOrigin-RevId: 802304800
@copybara-service copybara-service bot mentioned this pull request Sep 3, 2025
Merged
copybara-service bot pushed a commit to google/jimfs that referenced this pull request Sep 3, 2025
@cpovirk
Attempt to fix Javadoc snapshots:
79fa5ce 
- google/truth#1413
- google/auto#1900
- #401

Compare cl/460733976 from google/guava#6106. I notice that that earlier CL also added a `permissions` section for the `test` job, both for reading (for `actions/checkout`) and for writing (for `styfle/cancel-workflow-action`, which apparently [we probably shouldn't be using nowadays](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#:~:text=You%20probably%20don%27t%20need%20to%20install%20this%20custom%20action) and which [might not even need the explicit permissions](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#advanced-token-permissions)?). I'm not worrying about that for now, but that offers further evidence that I have no idea what I'm doing here.

RELNOTES=n/a
PiperOrigin-RevId: 802346694
copybara-service bot pushed a commit to google/truth that referenced this pull request Sep 3, 2025
@cpovirk
Attempt to fix Javadoc snapshots:
a29e1b2 
- #1413
- google/auto#1900
- google/jimfs#401

Compare cl/460733976 from google/guava#6106. I notice that that earlier CL also added a `permissions` section for the `test` job, both for reading (for `actions/checkout`) and for writing (for `styfle/cancel-workflow-action`, which apparently [we probably shouldn't be using nowadays](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#:~:text=You%20probably%20don%27t%20need%20to%20install%20this%20custom%20action) and which [might not even need the explicit permissions](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#advanced-token-permissions)?). I'm not worrying about that for now, but that offers further evidence that I have no idea what I'm doing here.

RELNOTES=n/a
PiperOrigin-RevId: 802346694
copybara-service bot pushed a commit to google/auto that referenced this pull request Sep 3, 2025
@cpovirk
Attempt to fix Javadoc snapshots:
456c645 
- google/truth#1413
- #1900
- google/jimfs#401

Compare cl/460733976 from google/guava#6106. I notice that that earlier CL also added a `permissions` section for the `test` job, both for reading (for `actions/checkout`) and for writing (for `styfle/cancel-workflow-action`, which apparently [we probably shouldn't be using nowadays](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#:~:text=You%20probably%20don%27t%20need%20to%20install%20this%20custom%20action) and which [might not even need the explicit permissions](https://github.com/styfle/cancel-workflow-action/blob/main/README.md#advanced-token-permissions)?). I'm not worrying about that for now, but that offers further evidence that I have no idea what I'm doing here.

RELNOTES=n/a
PiperOrigin-RevId: 802346694
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@varunsh-coder