[GitHub] [beam] damccorm commented on pull request #25715: ci: set minimal permissions for Github Workflows

["damccorm (via GitHub)" <gi...@apache.org>]

damccorm commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1473735492

   👋🏻 hey, thanks for the contribution!
   
   Unfortunately, I don't think we actually need this, and it is actually a less restrictive model than we currently have. IIUC, we currently use the Default access (restricted) which only grants read to some things - https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
   
   From your issue:
   
   > I just read your [.github/ACTIONS.md](https://github.com/apache/beam/blob/master/.github/ACTIONS.md), in which AFAIU you already say that all of the action on the repo should have permissions: read-all on their top-level. So I apologize if in this issue I'm bringing informations that you were already aware of.
   
   This is actually probably outdated since we've temporarily frozen our migration to self-hosted actions, and I think it was actually intended to make things a little more permissive to get some read permissions used for workflow management. Until we pick that up, I don't think we should make changes to our permission model unless there are specific workflows that clearly have too many permissions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org