From 9a102869b156bfe598a71823e0b2ce2319a5b5ae Mon Sep 17 00:00:00 2001 From: Daniel Jacobs Date: Fri, 23 Aug 2024 11:07:03 -0400 Subject: [PATCH 1/2] ci: Set most GITHUB_TOKEN permissions back to defaults --- .github/workflows/release_nightly.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release_nightly.yml b/.github/workflows/release_nightly.yml index 8c02b96e5417..cb91e3f54555 100644 --- a/.github/workflows/release_nightly.yml +++ b/.github/workflows/release_nightly.yml @@ -310,8 +310,21 @@ jobs: if: needs.create-nightly-release.outputs.is_active == 'true' runs-on: ubuntu-22.04 permissions: - contents: read + actions: write + attestations: write + checks: write + contents: write + deployments: write + discussions: write id-token: write + issues: write + metadata: read + packages: write + pages: write + pull-requests: write + repository-projects: write + security-events: write + statuses: write strategy: matrix: demo: [false, true] From c9c3dab75304065ae14b39c03055ed6ba3c5cb89 Mon Sep 17 00:00:00 2001 From: Daniel Jacobs Date: Fri, 23 Aug 2024 12:04:29 -0400 Subject: [PATCH 2/2] ci: Further restrict GITHUB_TOKEN permissions --- .github/workflows/release_nightly.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release_nightly.yml b/.github/workflows/release_nightly.yml index cb91e3f54555..d8a1a15b9cb5 100644 --- a/.github/workflows/release_nightly.yml +++ b/.github/workflows/release_nightly.yml @@ -310,20 +310,13 @@ jobs: if: needs.create-nightly-release.outputs.is_active == 'true' runs-on: ubuntu-22.04 permissions: - actions: write + actions: read attestations: write - checks: write - contents: write - deployments: write - discussions: write + checks: read + contents: read id-token: write - issues: write metadata: read - packages: write - pages: write - pull-requests: write - repository-projects: write - security-events: write + pull-requests: read statuses: write strategy: matrix: