-
-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Set most GITHUB_TOKEN permissions back to defaults #17618
ci: Set most GITHUB_TOKEN permissions back to defaults #17618
Conversation
Fix for #17322 |
c225b4a
to
9a10286
Compare
Does it really need this many |
I don't know what it needs. These are the default permissions granted by a repo with a permissive access policy, and until 3 days ago, these are what we used. These are still the permissions being used by every other job in this workflow aside from these web jobs. |
See also my latest message in the meta-discussion channel on Discord. |
Just based on plain logic and common sense: What do you think about trying something like this?
|
I can try those. The annoying part is that I can't test this stuff easily, so we just need to test it live. |
|
Let's make
That's fine I guess, one missed nightly is not the end of the world. And it may even work out fine! |
Pushed these changes. We may also want to look into setting default access to restricted if we want to restrict access levels for this token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, let's see...! What's the worst that could happen?!
It's broken already and it's reduced permissions compared to what it used to be (except for id-token, but provenance requires that). So let's try it. |
Huh...?
|
metadata is apparently set without being explicitly set as it was set yesterday. I'm away from my computer but you can try removing that key/value. |
And now we have:
|
Apparently we need |
Should match https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token and these permissions, except for
id-token
: