From f57d64fc562737f044606a48681d0c10c7864896 Mon Sep 17 00:00:00 2001 From: Theodor Mihalache Date: Mon, 23 Sep 2024 13:52:22 -0400 Subject: [PATCH] try to set pull_request_target permissions to read only Signed-off-by: Theodor Mihalache --- .github/workflows/java_pr.yml | 6 ++++++ .github/workflows/lint_pr.yml | 4 ---- .github/workflows/pr_local_integration_tests.yml | 3 ++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/java_pr.yml b/.github/workflows/java_pr.yml index 35623d901b7..cd31b50c890 100644 --- a/.github/workflows/java_pr.yml +++ b/.github/workflows/java_pr.yml @@ -29,6 +29,8 @@ jobs: run: make lint-java unit-test-java: + permissions: read-all + # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. if: ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || @@ -70,6 +72,8 @@ jobs: path: ${{ github.workspace }}/docs/coverage/java/target/site/jacoco-aggregate/ build-docker-image-java: + permissions: read-all + # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. if: ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || @@ -105,6 +109,8 @@ jobs: run: make build-${{ matrix.component }}-docker REGISTRY=${REGISTRY} VERSION=${GITHUB_SHA} integration-test-java-pr: + permissions: read-all + # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. if: ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || diff --git a/.github/workflows/lint_pr.yml b/.github/workflows/lint_pr.yml index 164dde01949..81732258455 100644 --- a/.github/workflows/lint_pr.yml +++ b/.github/workflows/lint_pr.yml @@ -7,10 +7,6 @@ on: - edited - synchronize -permissions: - # read-only perms specified due to use of pull_request in lieu of security label check - pull-requests: read - jobs: validate-title: if: diff --git a/.github/workflows/pr_local_integration_tests.yml b/.github/workflows/pr_local_integration_tests.yml index 8cadc987f25..3cad4862eb1 100644 --- a/.github/workflows/pr_local_integration_tests.yml +++ b/.github/workflows/pr_local_integration_tests.yml @@ -10,7 +10,8 @@ on: jobs: integration-test-python-local: - # when using pull_request, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. + # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes. + #TODO not sure this check is needed anymore, changed to on pull_request if: ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) || (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&