Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve CI permissions, auto-merge maintainability, and clarity #1668

Merged
merged 13 commits into from
Nov 12, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Make GHA permissions explicit and often narrower
This adds `permissions` keys at workflow or job level in a number
of places, usually specifying minimal required permissions.

When a `permissions` key contains at least one subkey setting some
permission (in any way), all permissions it does not have subkeys
for are treated as if they were present with a value of `none`.
This relies on that rather than listing all unneeded permissions
everywhere with `none`.

So most `permissions` added here have only `contents: read`, and:

- The only place where `none` is specified explicitly is in the
  CIFuzz workflow, where no permissions (of those controllable
  through `permissions`) are needed.

- The only place any `write` permissions are specified are
  `contents: write` in the jobs of the release workflow that need
  it. All jobs involved in preparing a release currently have at
  least one step that requires this. But `contents: read` is still
  applied at the workflow level, because the `installation` job
  (which tests installing) does not need any `write` permissions.

Note that some jobs that don't have any write permissions of the
kind that is controlled under a `permissions` key do still perform
writes to data accessible outside of their run: caching (including
creating new caches), and uploading artifacts, still works.

Relevant documentation:

- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
- https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions
- https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
  • Loading branch information
EliahKagan committed Nov 10, 2024
commit f41a58cb0c0a1417fa08d69b2db172fc6f2d995c
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
- main
workflow_dispatch:

permissions:
contents: read

env:
CARGO_TERM_COLOR: always
CLICOLOR: 1
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/cifuzz.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ jobs:
Fuzzing:
runs-on: ubuntu-latest

permissions:
contents: none # The fuzzing actions don't use our github.token at all.

steps:
- name: Build Fuzzers
id: build
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/cron.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
- cron: '0 13,1 * * *'
workflow_dispatch:

permissions:
contents: read

jobs:
stress:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/msrv.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
- main
workflow_dispatch:

permissions:
contents: read

jobs:
check-msrv:
name: cargo check MSRV
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
- 'v*'
workflow_dispatch:

permissions:
contents: read # Set more permissively in jobs that need `write`.

defaults:
run:
shell: bash
Expand All @@ -21,6 +24,9 @@ jobs:
create-release:
runs-on: ubuntu-latest

permissions:
contents: write

# env:
# # Set to force version number, e.g., when no tag exists.
# VERSION: TEST-0.0.0
Expand Down Expand Up @@ -204,6 +210,9 @@ jobs:

runs-on: ${{ matrix.os }}

permissions:
contents: write

env:
RUST_BACKTRACE: '1' # Emit backtraces on panics.
CARGO_TERM_COLOR: always
Expand Down Expand Up @@ -295,6 +304,9 @@ jobs:
# These features need to be exactly the same as the features in build-release.
feature: [ small, lean, max, max-pure ]

permissions:
contents: write

env:
BASH_ENV: ./helpers.sh
REPOSITORY: ${{ github.repository }}
Expand Down Expand Up @@ -354,6 +366,9 @@ jobs:

needs: [ create-release, build-release, build-macos-universal2-release ]

permissions:
contents: write

env:
REPOSITORY: ${{ github.repository }}
VERSION: ${{ needs.create-release.outputs.version }}
Expand Down