[llvm] workflows/release-binaries: Remove .git directory from artifacts (PR #106310)

Tom Stellard via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 27 16:49:56 PDT 2024


tstellar wrote:

> Did you come across this from the article or was there some scanner involved here?

It's from the article linked in the comment.

> I'm assuming the token by default won't have a large amount of permissions though and should be ephemeral?
> 

The called workflow inherits the caller permissions, so the tokens should be read-only and only usable while the workflow is running. 

> Speaking of that, do we want to tack on a
> 
> ```yaml
> permissions:
>   contents: read
> ```

I'm not sure if the composite actions support top-level permissions, but I'll try it.

https://github.com/llvm/llvm-project/pull/106310


More information about the llvm-commits mailing list