Scope down GitHub token permissions for ci.yml#26
Closed
AdnaneKhan wants to merge 1 commit intoawslabs:mainfrom
AdnaneKhan:update/token-scopedown
Closed
Scope down GitHub token permissions for ci.yml#26AdnaneKhan wants to merge 1 commit intoawslabs:mainfrom AdnaneKhan:update/token-scopedown
AdnaneKhan wants to merge 1 commit intoawslabs:mainfrom
AdnaneKhan:update/token-scopedown
Conversation
This PR adds minimal required permissions to the workflow following the principle of least privilege.
Analysis:
This workflow performs Java project building and testing operations without modifying repository state. Analysis of the steps: (1) actions/checkout@v2 - requires 'contents: read' to clone the repository; (2) gradle/wrapper-validation-action@v1 - validates the Gradle wrapper configuration, local operation; (3) actions/setup-java@v2 - sets up JDK with specified Java version (11 or 17) and Zulu distribution, no GitHub permissions needed; (4) Clean and build step - runs './gradlew clean build -Plog-tests' to compile and test the Java project, local operation. The workflow is triggered on: push to main branch and pull requests to main branch. The workflow uses a matrix strategy to run on multiple Java versions (11, 17) and operating systems (ubuntu-latest, windows-latest, macos-latest). All operations are read-only with respect to the repository - the workflow only reads repository contents via checkout and performs local Gradle build and test operations. No steps create commits, push changes, create releases, modify issues/PRs, or perform any other write operations on the GitHub repository. The workflow does not use 'secrets: inherit' and does not require any secrets. Following the principle of least privilege, the minimal required permission is 'contents: read' for the checkout action to clone the repository. The default GITHUB_TOKEN with read-only permissions is sufficient for this workflow.
Required permissions:
{
"contents": "read"
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds minimal required permissions to the workflow following the principle of least privilege.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.