[llvm] workflows/release-binaries: Remove .git directory from artifacts (PR #106310)
Tom Stellard via llvm-commits
llvm-commits at lists.llvm.org
Tue Aug 27 16:49:56 PDT 2024
tstellar wrote:
> Did you come across this from the article or was there some scanner involved here?
It's from the article linked in the comment.
> I'm assuming the token by default won't have a large amount of permissions though and should be ephemeral?
>
The called workflow inherits the caller permissions, so the tokens should be read-only and only usable while the workflow is running.
> Speaking of that, do we want to tack on a
>
> ```yaml
> permissions:
> contents: read
> ```
I'm not sure if the composite actions support top-level permissions, but I'll try it.
https://github.com/llvm/llvm-project/pull/106310
More information about the llvm-commits
mailing list