Adding comments for why certain permissions are needed

marqo-ai · Nov 22, 2024 · 77a1314 · 77a1314
1 parent 5110fe3
commit 77a1314
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 21 deletions.
diff --git a/.github/workflows/backwards_compatibility_marqo_execution.yml b/.github/workflows/backwards_compatibility_marqo_execution.yml
@@ -42,13 +42,11 @@ on:
 jobs:
   Start-Runner:
     permissions:
-      contents: read
-      actions: write
-      id-token: write
-      checks: write
-      deployments: write
-      packages: write
-      statuses: write
+      contents: read # This permission is necessary to read repository contents
+      actions: write # Used by machulav/ec2-github-runner@v2 for managing self-hosted runners. The workflow needs to create and manage GitHub Actions runners on EC2
+      id-token: write # Used by aws-actions/configure-aws-credentials@v4. Required for AWS authentication and OIDC token management
+      checks: write # Used implicitly by GitHub Actions to report job statuses and create check runs
+      statuses: write # Used implicitly by GitHub Actions to report job statuses and create check runs
     name: Start self-hosted EC2 runner
     runs-on: ubuntu-latest
     outputs:
@@ -134,13 +132,11 @@ jobs:
   Stop-Runner:
     name: Stop self-hosted EC2 runner
     permissions:
-      contents: read
-      actions: write
-      id-token: write
-      checks: write
-      deployments: write
-      packages: write
-      statuses: write
+      contents: read # This permission is necessary to read repository contents
+      actions: write # Used by machulav/ec2-github-runner@v2 for managing self-hosted runners. The workflow needs to create and manage GitHub Actions runners on EC2
+      id-token: write # Used by aws-actions/configure-aws-credentials@v4. Required for AWS authentication and OIDC token management
+      checks: write # Used implicitly by GitHub Actions to report job statuses and create check runs
+      statuses: write # Used implicitly by GitHub Actions to report job statuses and create check runs
     needs:
       - Start-Runner # required to get output from the start-runner job
       - backwards_compatibility # required to wait when the main job is done

diff --git a/.github/workflows/backwards_compatibility_marqo_orchestrator.yml b/.github/workflows/backwards_compatibility_marqo_orchestrator.yml
@@ -145,13 +145,11 @@ jobs:
     uses: ./.github/workflows/backwards_compatibility_marqo_execution.yml
     secrets: inherit
     permissions:
-      contents: read
-      actions: write
-      id-token: write
-      checks: write
-      deployments: write
-      packages: write
-      statuses: write
+      contents: read # This permission is necessary to read repository contents
+      actions: write # Used by machulav/ec2-github-runner@v2 for managing self-hosted runners. The workflow needs to create and manage GitHub Actions runners on EC2
+      id-token: write # Used by aws-actions/configure-aws-credentials@v4. Required for AWS authentication and OIDC token management
+      checks: write # Used implicitly by GitHub Actions to report job statuses and create check runs
+      statuses: write # Used implicitly by GitHub Actions to report job statuses and create check runs
     with:
       from_version: ${{ matrix.from_version }}
       to_version: ${{ needs.orchestrate.outputs.to_version }}