[llvm] 1e02442 - [Github][Docs] Add best practice for top level read permissions (#131470)
via llvm-commits
llvm-commits at lists.llvm.org
Sat Mar 15 23:35:22 PDT 2025
Author: Aiden Grossman
Date: 2025-03-15T23:35:18-07:00
New Revision: 1e02442df6cfdcc70123a9087173ca84c518d0a1
URL: https://github.com/llvm/llvm-project/commit/1e02442df6cfdcc70123a9087173ca84c518d0a1
DIFF: https://github.com/llvm/llvm-project/commit/1e02442df6cfdcc70123a9087173ca84c518d0a1.diff
LOG: [Github][Docs] Add best practice for top level read permissions (#131470)
This patch adds a section pointing out how permissions should be done
within Github workflows. I believe all of our workflows are currently
compliant with this, but it helps to have something to point to
documenting the practice and especially the motivation.
Added:
Modified:
llvm/docs/CIBestPractices.rst
Removed:
################################################################################
diff --git a/llvm/docs/CIBestPractices.rst b/llvm/docs/CIBestPractices.rst
index 398af21a9d966..0f2d446673448 100644
--- a/llvm/docs/CIBestPractices.rst
+++ b/llvm/docs/CIBestPractices.rst
@@ -92,3 +92,19 @@ image to a new version with potentially breaking changes, instead allowing us
to explicitly opt-in to using the new image when we have done sufficient
testing to ensure that our existing workflows work as expected in the new
environment.
+
+Top Level Read Permissions
+--------------------------
+
+The top of every workflow should specify that the job only has read
+permissions:
+
+.. code-block:: yaml
+
+ permissions:
+ contents: read
+
+If specific jobs within the workflow need additional permissions, those
+permissions should be added within the specific job. This practice locks down
+all permissions by default and only enables them when needed, better enforcing
+the principle of least privilege.
More information about the llvm-commits
mailing list