-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOC Add note about permissions to readme #138
DOC Add note about permissions to readme #138
Conversation
276dae1
to
67f1711
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack
In gha-ci we already set permissions: {} and individual permissions on jobs
Have we validated that setting contents: write
in the module level ci.yml is quickly overwritten to the permissions: {}
in the shared-workflow ci.yml?
Cos otherwise, contents: write
seems like very risky thing to ask people to set? GitHub actions by default will set contents: read
for pull-requests, I'm not sure if this would overwrite that, though I think it would?
Right, and that works for everything in the silverstripe org because of the overly-permissive permissions I mentioned in the PR description. We're basically bypassing the permission requirements anyway.
I don't know what you mean by that - but I did test that |
I guess the other option is to split out the gha-tag-release part into its own job? So CI would trigger a new workflow for tagging instead of directly using that action as part of the CI workflow? |
I don't think that's true, there was a lot of trial and error to get those permissions correct. It wasn't simply a case of "everything has write permissions by default therefore its work" What I don't quite understand is that things work fine on the actions on the creative-commoners account, so it's possibly not a cross-org issue? Though maybe stuff isn't actually working there and I just haven't noticed
Yeah I think that's probably a good idea, that should entirely remove the need to worry about We already 'trigger' other workflows in other places e.g. /~https://github.com/silverstripe/gha-trigger-ci/blob/1/action.yml#L81 |
As mentioned in the issue description and clarified in person, this is because we're using "Read and write permissions" instead of "Read repository contents and packages permissions" - which means that we don't have to declare permissions directly in the
I'll proceed with that. |
Gonna do that in a separate PR. |
Anyone who wants to use this with their own modules will need to set the correct permissions, so we should show them how and let them know about possible security implications.
Note that we don't have this in our repos'
ci.yml
files right now because some if not all of our own repos have Workflow permissions set toWe might want to demote that to
Issue