[llvm] [libc++][Github] Remove workflow-scoped write permissions (PR #126447)
via llvm-commits
llvm-commits at lists.llvm.org
Sun Feb 9 16:18:28 PST 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-libcxx
Author: Aiden Grossman (boomanaiden154)
<details>
<summary>Changes</summary>
This patch removes the workflow-scoped package write permissions in the libcxx-build-containers workflow. The relevant permissions are already present in the job, so this raises the potential for new jobs being added to the workflow that do not need the permissions but having them anyways. Not having workflow-scoped write permissions is security best practice.
Fixes #<!-- -->126230.
---
Full diff: https://github.com/llvm/llvm-project/pull/126447.diff
1 Files Affected:
- (modified) .github/workflows/libcxx-build-containers.yml (-1)
``````````diff
diff --git a/.github/workflows/libcxx-build-containers.yml b/.github/workflows/libcxx-build-containers.yml
index 2d040f712ce592b..bb4bd8843772fba 100644
--- a/.github/workflows/libcxx-build-containers.yml
+++ b/.github/workflows/libcxx-build-containers.yml
@@ -9,7 +9,6 @@ name: Build Docker images for libc++ CI
permissions:
contents: read
- packages: write
on:
push:
``````````
</details>
https://github.com/llvm/llvm-project/pull/126447
More information about the llvm-commits
mailing list