Skip to content

Run workflows with read-only tokens #1305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 9, 2023
Merged

Run workflows with read-only tokens #1305

merged 1 commit into from
Nov 9, 2023

Conversation

@pnacht
Copy link
Contributor

@pnacht pnacht commented Nov 8, 2023

Fixes #1304.

This PR ensures all KerasNLP workflows run with read-only tokens, protecting the project from supply-chain risks.

@pnacht
Run workflows with read-only tokens
478f7b8 
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@mattdangerw
Copy link
Member

mattdangerw commented Nov 8, 2023

/gcbrun

mattdangerw
mattdangerw approved these changes Nov 8, 2023
View reviewed changes
Copy link
Member

@mattdangerw mattdangerw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me! Let us know if you think we should merge this along with the setting change in #1304. That seems good, as as these workflow will never need write whatever our setting our, but I will wait for you to weigh in.

@pnacht
Copy link
Contributor Author

pnacht commented Nov 9, 2023

Yeah, the repo setting ensures the default is secure, but this gives you an added layer of security in case someone accidentally changes the setting back (which happens more often than you'd think, since many third-party Actions simply suggest setting write-all instead of figuring out which permissions they actually need).

It also has the slight benefit of helping security tools such as the OpenSSF Scorecard know the workflow is secure.

@mattdangerw
Copy link
Member

mattdangerw commented Nov 9, 2023

Thank you!!

@mattdangerw mattdangerw merged commit 8bc1bc2 into keras-team:master Nov 9, 2023
@pnacht pnacht mentioned this pull request Dec 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattdangerw mattdangerw mattdangerw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub workflows run with write-all tokens

2 participants

@pnacht @mattdangerw