Per-job permissions for create_new_cache and rust workflows#385
Open
arpitjain099 wants to merge 2 commits into
Open
Per-job permissions for create_new_cache and rust workflows#385arpitjain099 wants to merge 2 commits into
arpitjain099 wants to merge 2 commits into
Conversation
Both workflows use actions/cache so the runner needs actions: write on the cache save path; everything else they do is repo read access. Adds per-job permissions blocks to match the style already used in codeql.yml and copilot-setup-steps.yml. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens GitHub Actions security by adding explicit per-job permissions: blocks to the remaining workflows that were relying on the repository/org default GITHUB_TOKEN scope, aligning them with the existing style used in codeql.yml and copilot-setup-steps.yml.
Changes:
- Add per-job
permissionsto.github/workflows/rust.ymlfor all three jobs (build_ubuntu,provider_integration,build_windows). - Add per-job
permissionsto.github/workflows/create_new_cache.ymlfor both cache-priming jobs (Ubuntu/Windows).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/rust.yml |
Adds per-job token scoping (contents: read, actions: write) for builds/tests/caching/artifact upload jobs. |
.github/workflows/create_new_cache.yml |
Adds per-job token scoping (contents: read, actions: write) for cache creation jobs using actions/cache/save. |
arpitjain099
force-pushed
the
ci/add-permissions
branch
from
2850bd7 to
546d4be
Compare
| build_windows: | ||
| permissions: | ||
| contents: read | ||
| actions: write |
Author
|
Hi @rajesh-gali, gentle ping on this. PR has been open for 4 days without review. I noticed you've been on the recent-merger side of recent merges in this repo. When you have a moment, would you mind giving it a quick look? No urgency. Happy to address any feedback. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two remaining workflows in this repo run without an explicit
permissions:block, so theGITHUB_TOKENfalls back to the repo/org default scope (typically broader than necessary). The hardened siblings (codeql.yml,copilot-setup-steps.yml) already use per-job permissions blocks, so this PR matches that style.create_new_cache.yml
Two jobs (
ubuntu,windows). Both checkout the repo and callactions/cache/save@v5to populate the Cargo cache. Granted:rust.yml
Three jobs (
build_ubuntu,provider_integration,build_windows). They run cargo lint/test, upload artifacts, and useactions/cache@v5(which saves on cache miss) plusactions/cache/restore@v5(read-only). Same minimal scope as above is sufficient because the workflow only reads source and writes to the cache.YAML validated locally with
python3 -c "import yaml; yaml.safe_load(...)"for both files. No behavioral change.