Skip to content

🌱 drop pr approver workflow top-level permissions #10659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 22, 2024
Merged

🌱 drop pr approver workflow top-level permissions #10659

merged 1 commit into from
May 22, 2024

Conversation

tuminoid
Copy link
Contributor

What this PR does / why we need it:

Set PR approver workflow top-level permissions to none. This is the best practice for GH actions, and for example OpenSSF Scorecards penalize CAPI for not having it.

/area ci

@tuminoid
drop pr approver workflow top-level permissions
37efb8f 
Set top-level permissions to none. This is the best practice for
GH actions, and for example OpenSSF Scorecards penalize CAPI for
not having it.

Signed-off-by: Tuomo Tanskanen <[email protected]>
@k8s-ci-robot k8s-ci-robot added area/ci Issues or PRs related to ci cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 22, 2024
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 22, 2024
@sbueringer
Copy link
Member

Does this workflow work without any permissions?

@tuminoid
Copy link
Contributor Author

tuminoid commented May 22, 2024
edited
Loading

Does this workflow work without any permissions?

Setting the job level permissions to actions: write already drops all other permissions from the job: If you specify the access for any of these scopes, all of those that are not specified are set to none.

As described, this is merely a best practice improvement to explicitly drop them at top-level (ie. safe guards against adding another job without permissions = full access via top-level) and it makes security scanners happier. For example, OpenSSF scorecard.

@sbueringer
Copy link
Member

Ups, missed that we are adding the permission on the lower level

@sbueringer
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 22, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: e8c924efdec7abf6cdca1fd48f65b07b658faab0

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 22, 2024
@k8s-ci-robot k8s-ci-robot merged commit eaf97bc into kubernetes-sigs:main May 22, 2024
19 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.8 milestone May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackfrancis jackfrancis Awaiting requested review from jackfrancis

@JoelSpeed JoelSpeed Awaiting requested review from JoelSpeed

Assignees

@sbueringer sbueringer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ci Issues or PRs related to ci cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.8
Development

Successfully merging this pull request may close these issues.
3 participants
@tuminoid @sbueringer @k8s-ci-robot