Add specific permissions to .github/workflows/lock.yaml #89820
Conversation
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
|
@googlebot I fixed it. |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
The other author is a GitHub App (https://github.com/apps/step-security) that I have written. @googlebot I consent |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
goderbauer
added
c: contributor-productivity
|
/cc @godofredoc |
.github/workflows/lock.yaml
Outdated
| lock: | ||
| permissions: | ||
| issues: write | ||
| pull-requests: write |
There was a problem hiding this comment.
rm? we don't need write access to pull-requests.
There was a problem hiding this comment.
Hi @godofredoc , dessant/lock-threads by default locks both PRs and issues. For PRs, it needs pull-requests:write permission. There is a process-only option to restrict it to only issues or PRs, and the default is both...
BTW, I liked how this workflow pins the action to a commit rather than a version. That is part of the GitHub security guidance, and I have been thinking of adding automation for that, but not sure if developers will adopt it. Seeing it in use here makes me think they might...
There was a problem hiding this comment.
Thanks @varunsh-coder for the information. The expected behavior for this repo is to process only issues. I sent a PR to update the config https://github.com/flutter/flutter/pull/90023/files.
Regarding pinning commit versions this is something we started tracking actively for all the flutter repositories.
There was a problem hiding this comment.
I have removed the pull-requests:write permission
|
@Hixie do you know how can we make the cla/google check pass for bot generated code? |
|
Yeah just manually change the label to say |
Remove pull-requests:write since flutter does not use it.
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
godofredoc
left a comment
godofredoc
left a comment
There was a problem hiding this comment.
Thank you for helping us ensure we are following best practices in our workflows.
|
Thanks @godofredoc ! I would appreciate it if you can share some feedback on this GitHub App that was used to secure this workflow. The interaction with the App would be similar to how it was with me in this PR, and the App would need to be installed on your org/ repo. How likely are you to install the App to secure your workflows? If not likely, what would some of the reasons be for that? Thanks in advance! |
* add `semanticsLabel` to `SelectableText` * remove unused vars * Squashed commit of the following: commit 3e687a9 Author: engine-flutter-autoroll <[email protected]> Date: Tue Sep 14 17:42:05 2021 -0400 Roll Plugins from 4a98e23 to b85edeb (2 revisions) (#90083) commit ad936b4 Author: Christopher Fujino <[email protected]> Date: Tue Sep 14 14:39:17 2021 -0700 [flutter_conductor] Support initial stable release version (#89775) commit ff5dd54 Author: Ian Hickson <[email protected]> Date: Tue Sep 14 13:02:04 2021 -0700 Mention the ToS on our README (#89765) commit 8587b60 Author: Kate Lovett <[email protected]> Date: Tue Sep 14 14:53:33 2021 -0500 Update local gold api (#90072) commit 7d368dc Author: Justin McCandless <[email protected]> Date: Tue Sep 14 12:39:19 2021 -0700 InteractiveViewer with a child of zero size (#90012) Asserts that the InteractiveViewer child can't have zero size. commit 2b4ef18 Author: Akira Aratani <[email protected]> Date: Wed Sep 15 03:30:50 2021 +0900 Fix document of the switch. (#89641) commit a2cd16b Author: Christopher Fujino <[email protected]> Date: Tue Sep 14 11:22:02 2021 -0700 use test logger, which does not allow colors (#90010) commit 0f0613c Author: Varun Sharma <[email protected]> Date: Tue Sep 14 11:17:03 2021 -0700 Add specific permissions to .github/workflows/lock.yaml (#89820) commit 2866f79 Author: Jason Simmons <[email protected]> Date: Tue Sep 14 10:46:35 2021 -0700 Initialize all bindings before starting the text_editing_action_target test suite (#90067) Fixes #90057 commit b889915 Author: Michael Thomsen <[email protected]> Date: Tue Sep 14 14:08:36 2021 +0200 Change min Dart SDK constraint to track actual version (#88743) commit 3b7adb9 Author: godofredoc <[email protected]> Date: Mon Sep 13 21:32:04 2021 -0700 Lock only issues. (#90023) commit 528f77d Author: Dan Field <[email protected]> Date: Mon Sep 13 19:10:15 2021 -0700 Opacity fix (#90017) * Make sure Opacity widgets/layers do not drop the offset commit 2470f63 Author: engine-flutter-autoroll <[email protected]> Date: Mon Sep 13 22:07:02 2021 -0400 4a98e23 [flutter_plugin_tools] Make no unit tests fatal for iOS/macOS (flutter/plugins#4341) (#90016) commit a01e473 Author: stuartmorgan <[email protected]> Date: Mon Sep 13 20:57:05 2021 -0400 Re-enable plugin analysis test (#89856) commit cdad35f Author: Aneesh Rao <[email protected]> Date: Tue Sep 14 05:17:04 2021 +0530 Fix path in example (#84707) commit 576aab0 Author: Christopher Fujino <[email protected]> Date: Mon Sep 13 15:47:03 2021 -0700 add analysis_options.yaml to dev/conductor (#90005) commit fad5e4c Author: Jason Simmons <[email protected]> Date: Mon Sep 13 13:37:07 2021 -0700 Remove a redundant test case in the flutter_tools create_test (#89872) commit 738430c Author: Darren Austin <[email protected]> Date: Mon Sep 13 13:33:48 2021 -0700 Revert "Removed default page transitions for desktop and web platforms. (#82596)" (#89997) This reverts commit 43e3197 commit 9db9256 Author: Dan Field <[email protected]> Date: Mon Sep 13 13:15:19 2021 -0700 Revert "Make sure Opacity widgets/layers do not drop the offset (#89264)" (#89999) This reverts commit 0d0f7a4. commit 00f78cf Author: keyonghan <[email protected]> Date: Mon Sep 13 13:04:01 2021 -0700 renew cirrus key (#89988) commit 826da7f Author: engine-flutter-autoroll <[email protected]> Date: Mon Sep 13 15:52:03 2021 -0400 cfc8a20 renew cirrus key (flutter/plugins#4340) (#89996) commit cd112e5 Author: Anna Gringauze <[email protected]> Date: Mon Sep 13 12:13:42 2021 -0700 Update all packages (#89797)
6 participants
This PR adds specific permissions to the existing lock.yaml workflow under .github/workflows.
Background
I have implemented a GitHub App to automatically restrict permissions for the GITHUB_TOKEN in workflows. This is a security best practice as per the GitHub Actions hardening guide.
I am trying the App out on public repositories, by forking them, installing the App on the fork, and manually creating PRs with the fixed workflows. The App automatically fixes permissions when a PR is created that creates a new workflow, so feel free to install it for future workflows, or try it out on other repos.
I have manually reviewed the changes, and they do look good to me. If something looks off, please let me know. If you have feedback, would love to hear it. Thanks!
List which issues are fixed by this PR. You must list at least one issue.
Tried to create an issue, but did not find a suitable category
Pre-launch Checklist
///).If you need help, consider asking for advice on the #hackers-new channel on Discord.