You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by "diogoteles08 (via GitHub)" <gi...@apache.org> on 2023/03/03 17:17:11 UTC

[GitHub] [beam] diogoteles08 opened a new pull request, #25715: ci: set minimal permissions for Github Workflows

diogoteles08 opened a new pull request, #25715:
URL: https://github.com/apache/beam/pull/25715

   The changes were done to always leave top-level read-only permissions, and then have permissive job-level permissions if any job requires them.
   
   WARN: I was not able to determine the specific permissions required for the following jobs:
   - java_tests.yml
   - run_rc_validation.yml 
   So I left them read-only and it should be tested. If you wish, I can enable the workflows on my fork and test them there.
   
   Closes #25641
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] github-actions[bot] commented on pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1453903099

   Assigning reviewers. If you would like to opt out of this review, comment `assign to next reviewer`:
   
   R: @Abacn for label build.
   
   Available commands:
   - `stop reviewer notifications` - opt out of the automated review tooling
   - `remind me after tests pass` - tag the comment author after tests pass
   - `waiting on author` - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)
   
   The PR bot will only process comments in the main thread (not review comments).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] damccorm commented on pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "damccorm (via GitHub)" <gi...@apache.org>.

damccorm commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1473927260

   Thank you!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] github-actions[bot] commented on pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1469896585

   Assigning new set of reviewers because Pr has gone too long without review. If you would like to opt out of this review, comment `assign to next reviewer`:
   
   R: @damccorm for label build.
   
   Available commands:
   - `stop reviewer notifications` - opt out of the automated review tooling
   - `remind me after tests pass` - tag the comment author after tests pass
   - `waiting on author` - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] diogoteles08 commented on pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "diogoteles08 (via GitHub)" <gi...@apache.org>.

diogoteles08 commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1473881203

   Hi Danny,
   
   Thanks for the kind answer.
   
   Using the GitHub setting of default restricted access is indeed a good approach and I'm glad you use them.
   
   Have the permissions written directly on code also bring some extra security, but I completely understand you preferring not to change the workflows until the migration.
   
   I'm closing this by now, thanks! =)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] github-actions[bot] commented on pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1464898988

   Reminder, please take a look at this pr: @Abacn 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] diogoteles08 closed pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "diogoteles08 (via GitHub)" <gi...@apache.org>.

diogoteles08 closed pull request #25715: ci: set minimal permissions for Github Workflows
URL: https://github.com/apache/beam/pull/25715


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] damccorm commented on pull request #25715: ci: set minimal permissions for Github Workflows

Posted by "damccorm (via GitHub)" <gi...@apache.org>.

damccorm commented on PR #25715:
URL: https://github.com/apache/beam/pull/25715#issuecomment-1473735492

   👋🏻 hey, thanks for the contribution!
   
   Unfortunately, I don't think we actually need this, and it is actually a less restrictive model than we currently have. IIUC, we currently use the Default access (restricted) which only grants read to some things - https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
   
   From your issue:
   
   > I just read your [.github/ACTIONS.md](https://github.com/apache/beam/blob/master/.github/ACTIONS.md), in which AFAIU you already say that all of the action on the repo should have permissions: read-all on their top-level. So I apologize if in this issue I'm bringing informations that you were already aware of.
   
   This is actually probably outdated since we've temporarily frozen our migration to self-hosted actions, and I think it was actually intended to make things a little more permissive to get some read permissions used for workflow management. Until we pick that up, I don't think we should make changes to our permission model unless there are specific workflows that clearly have too many permissions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org