Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a permissions block for generated workflows #902

Merged
merged 2 commits into from
Feb 1, 2022
Merged

Add a permissions block for generated workflows #902

merged 2 commits into from
Feb 1, 2022

Conversation

aeisenberg
Copy link
Contributor

@aeisenberg aeisenberg commented Feb 1, 2022
edited
Loading

Ensure that all workflows are able to write security events. Fixes a bug where CI jobs were failing during the upload status report request if the ref property of the report was not the same as the PR ref.

I changed the approach in this PR. Instead of adding a permissions block, I am changing how the TEST_MODE environment variable works. Now, when this variable is set, no status reports will be uploaded to code scanning.

The reasoning is that code scans from forks will never be allowed to have security-events: write permissions for resources other than the current PR. This is a conscious decision and meant to prevent third parties from maliciously uploading new code scans for refs they do not control.

See #889

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@aeisenberg aeisenberg requested a review from a team as a code owner February 1, 2022 00:13
@cw-alexcroteau cw-alexcroteau mentioned this pull request Feb 1, 2022
Closed
3 tasks
@aeisenberg aeisenberg merged commit 57f34a1 into main Feb 1, 2022
@aeisenberg aeisenberg deleted the aeisenberg/permissions branch February 1, 2022 18:54
@aeisenberg aeisenberg mentioned this pull request Feb 2, 2022
Merged
4 tasks
@github-actions github-actions bot mentioned this pull request Feb 7, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrymercer henrymercer henrymercer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aeisenberg @henrymercer