Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grant test build wheel workflows with correct permissions #4870

Merged
merged 4 commits into from
Jan 12, 2024
Merged

Grant test build wheel workflows with correct permissions #4870

merged 4 commits into from
Jan 12, 2024

Conversation

huydhn
Copy link
Contributor

@huydhn huydhn commented Jan 12, 2024

This needs to be add to the test workflows after #4865

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jan 12, 2024
@vercel Vercel
Copy link

vercel bot commented Jan 12, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
torchci ⬜️ Ignored (Inspect) Visit Preview Jan 12, 2024 1:20am

@huydhn huydhn requested a review from atalman January 12, 2024 01:14
@huydhn huydhn marked this pull request as ready for review January 12, 2024 01:20
malfet
malfet requested changes Jan 12, 2024
View reviewed changes
Copy link
Contributor

@malfet malfet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are test workflows that never upload anything, why do they need id-token: write?

@huydhn
Copy link
Contributor Author

huydhn commented Jan 12, 2024
edited
Loading

Those are test workflows that never upload anything, why do they need id-token: write?

They don’t do that directly, but they invoke the wheel build reusable workflow, which requires id-token write permission. Without the change, the caller will have id-token none permission default and will not escalate that to id-token write required by OIDC step. I need to do the same for all domains, i.e. vision pytorch/vision#8205.

You can see the failure here https://github.com/pytorch/test-infra/actions/runs/7496638182

@huydhn huydhn requested a review from malfet January 12, 2024 01:42
@huydhn
Copy link
Contributor Author

huydhn commented Jan 12, 2024
edited
Loading

According to GH doc, id-token write is the permission to actually query ODIC https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings

For reusable workflows outside your enterprise or organization, the permissions setting for id-token should be explicitly set to write at the caller workflow level or in the specific job that calls the reusable workflow. This ensures that the OIDC token generated in the reusable workflow is only allowed to be consumed in the caller workflows when intended.

@huydhn huydhn merged commit 24c4b76 into main Jan 12, 2024
40 checks passed
@huydhn huydhn deleted the cleanup-aws-credentials branch January 12, 2024 03:21
huydhn added a commit that referenced this pull request Feb 12, 2024
@huydhn
Grant test build wheel workflows with correct permissions (#4870)
fe7b3b7 
This needs to be add to the test workflows after
#4865
This was referenced Feb 12, 2024
Merged
Closed
huydhn added a commit that referenced this pull request Feb 12, 2024
@huydhn @atalman
Cherry pick a bunch of OIDC changes for 2.2.1 release (#4945)
c76d973 
The list includes:

* #4870
* #4877
* #4882
* #4886
* #4891
* #4893
* #4894
* #4901

---------

Co-authored-by: Andrey Talman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@malfet malfet malfet approved these changes

@atalman atalman Awaiting requested review from atalman

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@huydhn @malfet @facebook-github-bot