Skip to content

[CI] gha: set default workflow permissions #1976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 7, 2025
Merged

[CI] gha: set default workflow permissions #1976

merged 1 commit into from
Jun 7, 2025

Conversation

jbampton
Copy link
Member

@jbampton jbampton commented Jun 5, 2025

Did you read the Contributor Guide?

Is this PR related to a ticket?

  • No this is a CI update. The PR name follows the format [CI] my subject

What changes were proposed in this PR?

Set workflow permissions

How was this patch tested?

Did this PR include necessary documentation updates?

  • No, this PR does not affect any public API so no need to change the documentation.

@jbampton jbampton requested a review from jiayuasu as a code owner June 5, 2025 22:20
@jbampton jbampton self-assigned this Jun 5, 2025
@jiayuasu
Copy link
Member

jiayuasu commented Jun 6, 2025

What is the purpose of this PR?

@jbampton
Copy link
Member Author

jbampton commented Jun 6, 2025

zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups. So I ran zizmor here and it found that we did not have our permissions set on these workflows.

https://github.com/zizmorcore/zizmor

refs #1977

The other workflows that I did not modify already had:

permissions:
  contents: read

This is the example from zizmor:

Screenshot from 2025-06-07 06-47-33

So you can compare this PR to another previous PR and see the difference in the permissions.

This PR:

Screenshot from 2025-06-07 06-53-37

Another previous PR:

Screenshot from 2025-06-07 06-56-12

@jiayuasu jiayuasu merged commit adb2b0e into apache:master Jun 7, 2025
12 checks passed
jiayuasu added a commit that referenced this pull request Jun 8, 2025
@jiayuasu
Revert "[CI] gha: set default workflow permissions (#1976)"
af11ba2 
This reverts commit adb2b0e.
@jiayuasu
Copy link
Member

jiayuasu commented Jun 8, 2025

I had to revert this PR because our Github action actually deploys to our website branch, this PR broken the github action. Please fix accordingly: https://github.com/apache/sedona/actions/runs/15513400421

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiayuasu jiayuasu jiayuasu approved these changes

Assignees

@jbampton jbampton

Labels
github-actions
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jbampton @jiayuasu