Skip to content

Commit

Permalink
Fix pre-commit errors on SPEC8 (#335)
Browse files Browse the repository at this point in the history
  • Loading branch information
@QuLogic
QuLogic authored Jul 29, 2024
1 parent 41f2a84 commit cf09fa0
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions spec-0008/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,11 @@ It is recommended that this is a dedicated page in the developer section of the

### Hardening workflow environment permissions

* Workflows that publish release artifacts should have _run triggers_ that require intentional actions by the release team (e.g., `workflow_dispatch` in GitHub Actions) and require multiple release team members to approve the workflow to run (c.f. "Use GitHub Actions environments" section below).
This is to safeguard the project from any one maintainer having the ability to commit to the default branch and make a release directly.
- Workflows that publish release artifacts should have _run triggers_ that require intentional actions by the release team (e.g., `workflow_dispatch` in GitHub Actions) and require multiple release team members to approve the workflow to run (c.f. "Use GitHub Actions environments" section below).
This is to safeguard the project from any one maintainer having the ability to commit to the default branch and make a release directly.

* It is also strongly recommended that the repository requires [signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) so that each release corresponds to a verified commit.
* The branch from which the release is made should also be protected.
- It is also strongly recommended that the repository requires [signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) so that each release corresponds to a verified commit.
- The branch from which the release is made should also be protected.

#### Restrict permissions in CI runners to the minimum required

Expand All @@ -62,12 +62,12 @@ Elevating permissions beyond this should be done at the job level by redefining
GitHub allows restricting the actions that workflows can use via the repository actions permissions settings at `https://github.com/$ORG/$PROJECT/settings/actions`.
A reasonable default is to select the

* Allow $ORG, and select non-$ORG, actions and reusable workflows
- Allow $ORG, and select non-$ORG, actions and reusable workflows

option and the suboptions:

* Allow actions created by GitHub
* Allow specified actions and reusable workflows
- Allow actions created by GitHub
- Allow specified actions and reusable workflows

Consult [Managing GitHub Actions permissions for your repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) for more details.

Expand Down

0 comments on commit cf09fa0

Please sign in to comment.