try to set pull_request_target permissions to read only

Signed-off-by: Theodor Mihalache <[email protected]>
tmihalac · Sep 23, 2024 · f57d64f · f57d64f
1 parent be6572d
commit f57d64f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/.github/workflows/java_pr.yml b/.github/workflows/java_pr.yml
@@ -29,6 +29,8 @@ jobs:
         run: make lint-java
 
   unit-test-java:
+    permissions: read-all
+
     # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
       ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
@@ -70,6 +72,8 @@ jobs:
           path: ${{ github.workspace }}/docs/coverage/java/target/site/jacoco-aggregate/
 
   build-docker-image-java:
+    permissions: read-all
+
     # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
       ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
@@ -105,6 +109,8 @@ jobs:
         run: make build-${{ matrix.component }}-docker REGISTRY=${REGISTRY} VERSION=${GITHUB_SHA}
 
   integration-test-java-pr:
+    permissions: read-all
+
     # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
       ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||

diff --git a/.github/workflows/lint_pr.yml b/.github/workflows/lint_pr.yml
@@ -7,10 +7,6 @@ on:
       - edited
       - synchronize
 
-permissions:
-  # read-only perms specified due to use of pull_request in lieu of security label check
-  pull-requests: read
-
 jobs:
   validate-title:
     if:

diff --git a/.github/workflows/pr_local_integration_tests.yml b/.github/workflows/pr_local_integration_tests.yml
@@ -10,7 +10,8 @@ on:
 
 jobs:
   integration-test-python-local:
-    # when using pull_request, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
+    # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
+    #TODO not sure this check is needed anymore, changed to on pull_request
     if:
       ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
       (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&