Skip to content

Update main.yml permissions#439

Closed
joycebrum wants to merge 1 commit into
python:mainfrom
joycebrum:main
Closed

Update main.yml permissions#439
joycebrum wants to merge 1 commit into
python:mainfrom
joycebrum:main

Conversation

@joycebrum

Copy link
Copy Markdown
Contributor

Changes

Closes #438

Looking at tox documentation, it does not seem to need id-token. Also I've looked into https://github.com/jaraco/jaraco.develop/blob/main/jaraco/develop/create-github-release.py and the permissions seems to be only metadata: read (which is always read) and contents: write(granted to the job).

The other jobs seems to need only contents read, but I wasn't able to check due to test failings.

See what you think and if I may be missing something.

Signed-off-by: Joyce <joycebrum@google.com>
@jaraco

jaraco commented Mar 18, 2023

Copy link
Copy Markdown
Member

Superseded by jaraco/skeleton#76.

@jaraco jaraco closed this Mar 18, 2023
@joycebrum

joycebrum commented Mar 20, 2023

Copy link
Copy Markdown
Contributor Author

Just a comment: although the used workflow have its permissions set to minimal scope, since is this workflow that creates the GITHUB_TOKEN, to all other commands/workflows it will have the write-all permission if no permission is set on the yml file.

I believe this PR would still be an add to supply-chain security, if possible, please reconsider.

Thanks!

@FFY00

FFY00 commented Mar 20, 2023

Copy link
Copy Markdown
Member

@joycebrum the change was merged into https://github.com/jaraco/skeleton, and this repo was updated to the latest skeleton version, so your change already got pulled 😅

https://github.com/python/importlib_metadata/commits/main
109f8c0

@joycebrum

Copy link
Copy Markdown
Contributor Author

Aaaah my bad. I didn't noticed it worked like that 😅. Thanks for the explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Set github workflow to minimal permissions

3 participants