Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(actions): Adjust GitHub Actions permissions (write for release, read-only for others) #2154

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

chore(actions): Adjust GitHub Actions permissions (write for release, read-only for others) #2154

wants to merge 3 commits into from
+14 −0

Conversation

kotakanbe
Copy link
Member

@kotakanbe kotakanbe commented Mar 24, 2025
edited
Loading

What did you implement:

This pull request includes changes to multiple GitHub Actions workflow files to add permissions settings. These changes ensure that the workflows have the appropriate read or write permissions for the contents they interact with.

Changes to GitHub Actions workflows:

For details, see: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please verify whether the Goreleaser YAML works correctly in the real environment the next time we create a tag.

Checklist:

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

@kotakanbe kotakanbe requested review from MaineK00n and shino March 24, 2025 02:19
shino
shino reviewed Mar 24, 2025
View reviewed changes
Copy link
Collaborator

@shino shino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scorecard page https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions says:

The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the top level and the required write permissions are declared at the run-level.

It's depending on the aims we want to achive, but how about changing top-level of goreleaser.yml to read and adding contents: write to "Run GoReleaser" step? Maybe too bureaucratic? :)

shino
shino approved these changes Mar 26, 2025
View reviewed changes
Copy link
Collaborator

@shino shino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! 🍻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shino shino shino approved these changes

@MaineK00n MaineK00n Awaiting requested review from MaineK00n

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kotakanbe @shino