[llvm] workflows: Unsplit new-prs (PR #69560)
Aiden Grossman via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 30 13:33:08 PDT 2023
================
@@ -1,56 +1,37 @@
name: "Labelling new pull requests"
+
+permissions:
+ contents: read
+
on:
- workflow_run:
- workflows: ["PR Receive"]
+ # It's safe to use pull_request_target here, because we aren't checking out
+ # code from the pull request branch.
+ # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+ pull_request_target:
+ types:
+ - opened
+ - reopened
+ - ready_for_review
+ - synchronize
jobs:
automate-prs-labels:
permissions:
contents: read
----------------
boomanaiden154 wrote:
Looking [here](https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions) the recommendation seems to be to declare only read permissions at the top of the file to limit everything and then add in write permissions in individual jobs to prevent adding another job that doesn't need these permissions but still has them.
I think following that practice makes a lot of sense. There is probably a full list of best practices somewhere that would be good to follow/implement.
https://github.com/llvm/llvm-project/pull/69560
More information about the llvm-commits
mailing list