ci: declare contents: read on mock-nvml-e2e and tests#1126
ci: declare contents: read on mock-nvml-e2e and tests#1126arpitjain099 wants to merge 2 commits into
Conversation
k8s-ci-robot
added
the
do-not-merge/release-note-label-needed
✅ Deploy Preview for dra-driver-nvidia-gpu ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
k8s-ci-robot
added
needs-kind
|
Welcome @arpitjain099! |
k8s-ci-robot
added
the
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: arpitjain099 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @arpitjain099. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/XS
arpitjain099
force-pushed
the
ci/add-permissions
branch
from
2367858 to
b75e142
Compare
|
Friendly ping in case this slipped off the queue - has been waiting on |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/release-note-none |
k8s-ci-robot
added
release-note-none
|
Thanks @visheshtanksale. For the record: this PR only adds |
|
/retest |
|
@arpitjain099: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Yes those failure are not related. |
|
@arpitjain099 can you make similar changes to other workflows too? other than release-automation and issue-triage workflows, rest should have only read permissions. |
@shivamerla sure. Let me check it tomorrow. |
k8s-ci-robot
removed
the
size/XS
k8s-ci-robot
added
the
size/S
|
Done, @shivamerla. I extended workflow-level |
|
/ok-to-test |
Both workflows are read-only: mock-nvml-e2e spins up a kind cluster with DRA and runs BATS suites; tests.yaml is a placeholder that documents the Prow-driven flow. No API writes. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Follow-up to the maintainer request to extend least-privilege permissions to the remaining workflows. Both golang.yaml and variables.yaml are reusable (on: workflow_call) and only check out code and run read-only lint/test/build/version steps, so contents: read is sufficient. These are declared at the job level rather than the top level so the reusable workflows do not cap scopes inherited from callers. The ci.yaml -> basic-checks.yaml chain grants security-events: write for the CodeQL job in code_scanning.yaml, and a top-level cap on the shared reusable workflows could strip that. release-automation and issue-triage are intentionally left untouched as they need write access. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
force-pushed
the
ci/add-permissions
branch
from
9ed7c72 to
730a2e0
Compare
4 participants
Pins the default
GITHUB_TOKENto read-only on the two CI workflows that hadn't declared scope:mock-nvml-e2e.yaml— emulates 8× GB200 NVL GPUs with the mock NVML fromnvidia/k8s-test-infra, spins up a kind cluster with DRA, and runs the BATS suite.tests.yaml— placeholder workflow that documents the Prow-driven test flow.Neither writes to GitHub. YAML validated locally.