New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add necessary permissions to example workflow #31582
base: main
Are you sure you want to change the base?
fix: add necessary permissions to example workflow #31582
Conversation
Uses the diff from github#31322 but adds explicit permissions as well which allows it to be tested with `workflow_dispatch:` if users desire so Also use `github.ref_name` instead of the pull_request.number to query the branch I couldn't get the original to work in local tests but with `ref_name` it works flawlessly.
content/actions/using-workflows/caching-dependencies-to-speed-up-workflows.md
Outdated
Show resolved
Hide resolved
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
fpt: Free, Pro, Team |
@@ -369,7 +371,7 @@ jobs: | |||
env: | |||
GH_TOKEN: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %} | |||
REPO: {% raw %}${{ github.repository }}{% endraw %} | |||
BRANCH: refs/pull/{% raw %}${{ github.event.pull_request.number }}{% endraw %}/merge | |||
BRANCH: {% raw %}${{ github.ref_name }}{% endraw %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, using ref_name in workflow_dispatch is the correct approach.
However, this approach is not correct in this example.
Because, the cache is created for the merge ref (refs/pull/.../merge
) when a cache is created by a workflow run triggered on a pull request. Therefore, it will not work correctly with ref_name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I might have been wrong - ref_name
ends up being main/master after merge. We'd need github.head_ref
here instead.
@corneliusroemer Thanks so much for opening a PR! I'll get this triaged for review ✨ |
@Mogyuchi made a good point that |
content/actions/using-workflows/caching-dependencies-to-speed-up-workflows.md
Outdated
Show resolved
Hide resolved
@corneliusroemer |
types: | ||
- closed | ||
|
||
jobs: | ||
cleanup: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: write |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
permissions
is required regardless of the event if "Read and write permissions" are not selected in the settings(Settings > Actions > General > Actions permissions > Workflow permissions
). In other words, it is not relevant to changing pull_request_target.
Therefore, I believe it is more appropriate to make this a separate pull request from #31322 .
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
…I feel like I need to explain how what is written in restrictions-for-accessing-a-cache affects cache cleanup. |
Hello @corneliusroemer and @Mogyuchi - thank you for the suggestions here. We had a chance to dig into this on our team and we agreed that we shouldn't change this example to use That said, I didn't want to outright close this PR because I think it's a valid change to cover the cross-repository pull request use case. In the "Events that trigger workflows" article, we do have a warning box about the permissions: " Which looks like it has the context someone would need for the cross-repo pull requests. A few questions for you:
|
What I wanted to say is that I don't want this pull request to be based on my pull request.
I think we should talk about this in #31322, so I'll answer there.
Yes. We should specify the permission. https://securitylab.github.com/research/github-actions-building-blocks/#following-the-principle-of-least-privilege
Yes. Related pull request: #23612 |
Why:
Closes #31321
What's being changed (if available, include any code snippets, screenshots, or gifs):
Uses the diff from #31322
but adds explicit permissions as well
which allows it to be tested with
workflow_dispatch:
if users desire soAlso use
github.ref_name
instead of the pull_request.number to query the branchI couldn't get the original to work in local tests
but with
ref_name
it works flawlessly.Check off the following:
I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).
data
directory.For content changes, I have completed the self-review checklist.