Skip to content

[CI] set token permissions for pre-commit CI job #17729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 13, 2025
Merged

[CI] set token permissions for pre-commit CI job #17729

merged 1 commit into from
May 13, 2025

Conversation

@russellb
Copy link
Member

@russellb russellb commented May 6, 2025

Potential fix for https://github.com/vllm-project/vllm/security/code-scanning/21

To fix the issue, we will add a permissions block at the root level of the workflow file. This block will specify the least privileges required for the workflow to function correctly. Since the workflow only runs pre-commit checks and does not modify repository contents or interact with pull requests, it only requires contents: read permissions. This change will ensure that the workflow adheres to the principle of least privilege.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@russellb @github-advanced-security
[CI] set token permissions for pre-commit CI job
3fae47c 
Signed-off-by: Russell Bryant <rbryant@redhat.com>

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented May 6, 2025

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

@russellb russellb changed the title Potential fix for code scanning alert no. 21: Workflow does not contain permissions [CI] set token permissions for pre-commit CI job May 6, 2025
@russellb russellb marked this pull request as ready for review May 6, 2025 16:15
@mergify mergify bot added the ci/build label May 6, 2025
@russellb russellb enabled auto-merge (squash) May 13, 2025 12:16
@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label May 13, 2025
@russellb russellb merged commit 00b14e0 into main May 13, 2025
40 checks passed
@russellb russellb deleted the alert-autofix-21 branch May 13, 2025 13:38
zzzyq pushed a commit to zzzyq/vllm that referenced this pull request May 24, 2025
@russellb @github-advanced-security
[CI] set token permissions for pre-commit CI job (vllm-project#17729)
6579f2e 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Yuqi Zhang <yuqizhang@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hmellor hmellor hmellor approved these changes

Assignees

No one assigned

Labels

ci/build ready ONLY add when PR is ready to merge/full CI is needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@russellb @hmellor