Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Set most GITHUB_TOKEN permissions back to defaults #17618

Merged

Conversation

danielhjacobs
Copy link
Contributor

@danielhjacobs
Copy link
Contributor Author

Fix for #17322

@danielhjacobs danielhjacobs force-pushed the fix-github-token-permissions branch from c225b4a to 9a10286 Compare August 23, 2024 15:10
@danielhjacobs danielhjacobs changed the title ci: Set post GITHUB_TOKEN permissions back to defaults ci: Set most GITHUB_TOKEN permissions back to defaults Aug 23, 2024
@torokati44
Copy link
Member

Does it really need this many write permissions just to produce attestations? 🤔

@danielhjacobs
Copy link
Contributor Author

I don't know what it needs. These are the default permissions granted by a repo with a permissive access policy, and until 3 days ago, these are what we used. These are still the permissions being used by every other job in this workflow aside from these web jobs.

@danielhjacobs
Copy link
Contributor Author

See also my latest message in the meta-discussion channel on Discord.

@torokati44
Copy link
Member

@torokati44
Copy link
Member

torokati44 commented Aug 23, 2024

Just based on plain logic and common sense:

What do you think about trying something like this?

      actions: read
      attestations: write
      checks: read
      contents: none
      deployments: none
      discussions: none
      id-token: write
      issues: none
      metadata: read
      packages: none
      pages: none
      pull-requests: read
      repository-projects: none
      security-events: none
      statuses: write

@danielhjacobs
Copy link
Contributor Author

contents: read appears in the example for npm provenance, so it might be necessary: https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow. Not sure though, as they don't say it's necessary.

I can try those. The annoying part is that I can't test this stuff easily, so we just need to test it live.

@danielhjacobs
Copy link
Contributor Author

@torokati44
Copy link
Member

Let's make content to read then?

The annoying part is that I can't test this stuff easily, so we just need to test it live.

That's fine I guess, one missed nightly is not the end of the world. And it may even work out fine!

@danielhjacobs
Copy link
Contributor Author

Pushed these changes. We may also want to look into setting default access to restricted if we want to restrict access levels for this token.

Copy link
Member

@torokati44 torokati44 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, let's see...! What's the worst that could happen?!

@danielhjacobs
Copy link
Contributor Author

It's broken already and it's reduced permissions compared to what it used to be (except for id-token, but provenance requires that). So let's try it.

@danielhjacobs danielhjacobs enabled auto-merge (rebase) August 23, 2024 16:14
@danielhjacobs danielhjacobs merged commit d17b29c into ruffle-rs:master Aug 23, 2024
17 checks passed
@danielhjacobs danielhjacobs deleted the fix-github-token-permissions branch August 23, 2024 16:29
@torokati44
Copy link
Member

Huh...?

Invalid workflow file: .github/workflows/release_nightly.yml#L318
The workflow is not valid. .github/workflows/release_nightly.yml (Line: 318, Col: 7): Unexpected value 'metadata'

@danielhjacobs
Copy link
Contributor Author

metadata is apparently set without being explicitly set as it was set yesterday.

I'm away from my computer but you can try removing that key/value.

@torokati44
Copy link
Member

And now we have:

HTTP 403: Resource not accessible by integration (https://uploads.github.com/repos/ruffle-rs/ruffle/releases/171776832/assets?label=&name=ruffle-nightly-2024_08_24-reproducible-source.zip)

@torokati44
Copy link
Member

Apparently we need contents: write.
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#overview
How, and why, releases are "contents" is weird to me. I assumed it was strictly about what git itself manages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants