[CI][OSSF] Add default permissions to work flows #13173
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stdale-intel
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
stdale-intel
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
aelovikov-intel
approved these changes
Mar 27, 2024
cperkinsintel
approved these changes
Mar 27, 2024
|
@intel/llvm-gatekeepers this should be good to go since failure is unrelated FAILED: lib/libLLVMAMDGPUCodeGen.so.19.0git |
stdale-intel
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
stdale-intel
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
This was referenced Mar 29, 2024
aelovikov-intel
pushed a commit
that referenced
this pull request
Apr 2, 2024
After #13173 , we are not able to push container images. See https://github.com/intel/llvm/actions/runs/8485593107/job/23250649681 ``` ------ > pushing ghcr.io/intel/llvm/ubuntu2204_base:2f03ef85fee5e867c8250d535f561f2e52e5260c with docker: ------ ERROR: denied: installation not allowed to Write organization package Error: buildx failed with: ERROR: denied: installation not allowed to Write organization package ``` We need to update the docker images, so need to write packages. Push permission tested through non PR workflow run here: https://github.com/intel/llvm/actions/runs/8516878870
aelovikov-intel
added a commit
to aelovikov-intel/llvm
that referenced
this pull request
May 6, 2024
It's been broken since intel#13173.
jsji
added a commit
that referenced
this pull request
May 7, 2024
The update_check started to fail 2 weeks ago in https://github.com/intel/llvm/actions/runs/8461500755. Last CUDA e2e success was https://github.com/intel/llvm/actions/runs/8460746056 2 weeks ago!! So looks like a problem caused by #13173 again..
aelovikov-intel
pushed a commit
that referenced
this pull request
May 7, 2024
The update-check started to fail 2 months ago in https://github.com/intel/llvm/actions/runs/8461500755. Last CUDA e2e success was https://github.com/intel/llvm/actions/runs/8460746056 2 months ago!! So looks like a problem caused by #13173 again..
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
per OSSF (https://securityscorecards.dev/viewer/?uri=github.com/intel/llvm) all workflows should have default top level permission set. Which we set to below as per recommendation
permissions:
contents: read
then within actual jobs, when needed, we added additional privileges.
These changes were generated by the recommended OSSF tool
This PR changes those workflows created/owned by intel/llvm repo. Will do seperate PR for issues found in llvm/llvm-project inherited workflows.