diff options
author | Jay Huh <jewoongh@meta.com> | 2024-08-26 15:28:17 -0700 |
---|---|---|
committer | Facebook GitHub Bot <facebook-github-bot@users.noreply.github.com> | 2024-08-26 15:28:17 -0700 |
commit | 0082907bf2021d8cccba4a911084f1b1b7054864 (patch) | |
tree | 23b245e7014b23cac785d23547515f4b8d21ff54 /.github | |
parent | d96e67c2bf7f8907c1edfd27d2e6a37b2a2bfce1 (diff) |
Scope down workflow permissions (#12973)
Summary:
Followed instruction per https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defining-access-for-the-github_token-scopes
It turns out that we did not need any of these except `Metadata: read`.
Before
```
GITHUB_TOKEN Permissions
Actions: write
Attestations: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
```
After
```
GITHUB_TOKEN Permissions
Metadata: read
```
Pull Request resolved: https://github.com/facebook/rocksdb/pull/12973
Test Plan: GitHub Actions triggered by this PR
Reviewed By: cbi42
Differential Revision: D61812651
Pulled By: jaykorean
fbshipit-source-id: 4413756c93f503e8b2fb77eb8b684ef9e6a6c13d
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/benchmark-linux.yml | 12 | ||||
-rw-r--r-- | .github/workflows/nightly-candidate.yml | 1 | ||||
-rw-r--r-- | .github/workflows/nightly.yml | 1 | ||||
-rw-r--r-- | .github/workflows/pr-jobs-candidate.yml | 1 | ||||
-rw-r--r-- | .github/workflows/pr-jobs.yml | 1 |
5 files changed, 10 insertions, 6 deletions
diff --git a/.github/workflows/benchmark-linux.yml b/.github/workflows/benchmark-linux.yml index 929426091..bdf26c866 100644 --- a/.github/workflows/benchmark-linux.yml +++ b/.github/workflows/benchmark-linux.yml @@ -1,13 +1,13 @@ name: facebook/rocksdb/benchmark-linux -# FIXME: Disabled temporarily -# on: -# schedule: -# - cron: 7 */2 * * * # At minute 7 past every 2nd hour - +on: workflow_dispatch +permissions: {} + # FIXME: Disabled temporarily + # schedule: + # - cron: 7 */2 * * * # At minute 7 past every 2nd hour jobs: benchmark-linux: if: ${{ github.repository_owner == 'facebook' }} - runs-on: self-hosted + runs-on: ubuntu-latest # FIXME: change this back to self-hosted when ready steps: - uses: actions/checkout@v4.1.0 - uses: "./.github/actions/build-for-benchmarks" diff --git a/.github/workflows/nightly-candidate.yml b/.github/workflows/nightly-candidate.yml index 28a2d3405..bfc15d1b5 100644 --- a/.github/workflows/nightly-candidate.yml +++ b/.github/workflows/nightly-candidate.yml @@ -1,5 +1,6 @@ name: facebook/rocksdb/nightly on: workflow_dispatch +permissions: {} jobs: # These jobs would be in nightly but are failing or otherwise broken for # some reason. diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index c075b5298..0bf343639 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -3,6 +3,7 @@ on: schedule: - cron: 0 9 * * * workflow_dispatch: +permissions: {} jobs: build-format-compatible: if: ${{ github.repository_owner == 'facebook' }} diff --git a/.github/workflows/pr-jobs-candidate.yml b/.github/workflows/pr-jobs-candidate.yml index 5c8e96842..c6e280fdf 100644 --- a/.github/workflows/pr-jobs-candidate.yml +++ b/.github/workflows/pr-jobs-candidate.yml @@ -1,5 +1,6 @@ name: facebook/rocksdb/pr-jobs-candidate on: workflow_dispatch +permissions: {} jobs: # These jobs would be in pr-jobs but are failing or otherwise broken for # some reason. diff --git a/.github/workflows/pr-jobs.yml b/.github/workflows/pr-jobs.yml index 627b4dfc0..9d89a111e 100644 --- a/.github/workflows/pr-jobs.yml +++ b/.github/workflows/pr-jobs.yml @@ -1,5 +1,6 @@ name: facebook/rocksdb/pr-jobs on: [push, pull_request] +permissions: {} jobs: # NOTE: multiple workflows would be recommended, but the current GHA UI in # PRs doesn't make it clear when there's an overall error with a workflow, |