Skip to content

Workflow permissions #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 11, 2025
Merged

Workflow permissions #446

merged 1 commit into from
Aug 11, 2025

Conversation

@jreineckearm
Copy link
Collaborator

@jreineckearm jreineckearm commented Aug 8, 2025
edited
Loading

Addresses

Changes

  • Restore global permissions for all workflows to be only "contents: read" as suggested by best practices. Got changed with a recent PR.
  • Disable "contents: write" for TPIP workflow until git push gets resurrected.

Other flagged security warnings had been dismissed as "won't fix" before. They can't be avoided to keep the needed level of CI automation.
@soumeh01 , curious if we can add ignore-comments to the workflows similar to our linters. Given we'll never change the workflows but issues can be re-raised.

Screenshots

Checklist

  • 🤖 This change is covered by unit tests (if applicable).
  • 🤹 Manual testing has been performed (if necessary).
  • 🛡️ Security impacts have been considered (if relevant).
  • 📖 Documentation updates are complete (if required).
  • 🧠 Third-party dependencies and TPIP updated (if required).

@jreineckearm
* restore global permissions to be only "contents: read"
cc55add 
  as suggested by best practices
* disable "contents: write" for tpip workflow
  until git push gets resurrected

Signed-off-by: Jens Reinecke <[email protected]>
@qltysh
Copy link

qltysh bot commented Aug 8, 2025

Diff Coverage: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage: This PR will not change total coverage.

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

jkrech
jkrech approved these changes Aug 11, 2025
View reviewed changes
Copy link
Member

@jkrech jkrech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jreineckearm jreineckearm merged commit 1209fe9 into main Aug 11, 2025
16 checks passed
@jreineckearm jreineckearm deleted the scorecard-fixes branch August 11, 2025 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkrech jkrech jkrech approved these changes

@soumeh01 soumeh01 Awaiting requested review from soumeh01

@JonatanAntoni JonatanAntoni Awaiting requested review from JonatanAntoni

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jreineckearm @jkrech