From c7df69ba44ad18fff144820967150bb3ff647ec5 Mon Sep 17 00:00:00 2001 From: Olaoluwa Salami Date: Mon, 15 Jan 2024 18:35:29 +0000 Subject: [PATCH 1/5] test permissions --- .github/workflows/build.yml | 3 ++- .github/workflows/contrib-openai.yml | 2 +- .github/workflows/contrib-tests.yml | 2 +- .github/workflows/deploy-website.yml | 2 +- .github/workflows/dotnet-run-openai-test-and-notebooks.yml | 2 +- .github/workflows/openai.yml | 2 +- .github/workflows/pre-commit.yml | 2 +- .github/workflows/python-package.yml | 2 +- 8 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2f1af9ab744c..ce48349c4f9e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,8 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} - +permissions: + actions: read jobs: build: diff --git a/.github/workflows/contrib-openai.yml b/.github/workflows/contrib-openai.yml index 90eac3488ed3..1e83a136d22c 100644 --- a/.github/workflows/contrib-openai.yml +++ b/.github/workflows/contrib-openai.yml @@ -11,7 +11,7 @@ on: - 'test/agentchat/contrib/**' - '.github/workflows/contrib-openai.yml' - 'setup.py' - +permissions: read-all jobs: RetrieveChatTest: strategy: diff --git a/.github/workflows/contrib-tests.yml b/.github/workflows/contrib-tests.yml index 27a616b77190..deeb3d64cf93 100644 --- a/.github/workflows/contrib-tests.yml +++ b/.github/workflows/contrib-tests.yml @@ -15,7 +15,7 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} - +permissions: read-all jobs: RetrieveChatTest: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 3571697ace21..124a857d6ae3 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -16,7 +16,7 @@ on: workflow_dispatch: merge_group: types: [checks_requested] - +permissions: read-all jobs: checks: if: github.event_name != 'push' diff --git a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml index 687b474afd63..9216813691a6 100644 --- a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml +++ b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml @@ -7,7 +7,7 @@ on: - 'dotnet/**' env: BUILD_CONFIGURATION: Release # set this to the appropriate build configuration - +permissions: read-all jobs: build: environment: dotnet diff --git a/.github/workflows/openai.yml b/.github/workflows/openai.yml index 83679b58e388..eeeb4b11da78 100644 --- a/.github/workflows/openai.yml +++ b/.github/workflows/openai.yml @@ -12,7 +12,7 @@ on: - 'notebook/agentchat_auto_feedback_from_code_execution.ipynb' - 'notebook/agentchat_function_call.ipynb' - '.github/workflows/openai.yml' - +permissions: read-all jobs: test: strategy: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 70ff6009979b..d9a53d079af0 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -9,7 +9,7 @@ on: # Trigger the workflow on pull request or merge defaults: run: shell: bash - +permissions: read-all jobs: pre-commit-check: diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 067dd9115d97..91951e7be61e 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -7,7 +7,7 @@ name: python-package on: release: types: [published] - +permissions: read-all jobs: deploy: strategy: From 8c7259fed7557962dea8aef818066801435196e5 Mon Sep 17 00:00:00 2001 From: Olaoluwa Salami Date: Mon, 15 Jan 2024 18:53:10 +0000 Subject: [PATCH 2/5] test least permissions --- .github/workflows/build.yml | 5 ++++- .github/workflows/contrib-openai.yml | 6 +++++- .github/workflows/contrib-tests.yml | 6 +++++- .github/workflows/deploy-website.yml | 6 +++++- .github/workflows/dotnet-run-openai-test-and-notebooks.yml | 6 +++++- .github/workflows/openai.yml | 6 +++++- .github/workflows/pre-commit.yml | 6 +++++- .github/workflows/python-package.yml | 6 +++++- 8 files changed, 39 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ce48349c4f9e..1fc1adbe3d5b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,7 +20,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} permissions: - actions: read + # actions: read + # checks: read + contents: read + # deployments: read jobs: build: diff --git a/.github/workflows/contrib-openai.yml b/.github/workflows/contrib-openai.yml index 1e83a136d22c..15dee33c71bd 100644 --- a/.github/workflows/contrib-openai.yml +++ b/.github/workflows/contrib-openai.yml @@ -11,7 +11,11 @@ on: - 'test/agentchat/contrib/**' - '.github/workflows/contrib-openai.yml' - 'setup.py' -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: RetrieveChatTest: strategy: diff --git a/.github/workflows/contrib-tests.yml b/.github/workflows/contrib-tests.yml index deeb3d64cf93..25f7b020719b 100644 --- a/.github/workflows/contrib-tests.yml +++ b/.github/workflows/contrib-tests.yml @@ -15,7 +15,11 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: RetrieveChatTest: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 124a857d6ae3..eba72bdf7184 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -16,7 +16,11 @@ on: workflow_dispatch: merge_group: types: [checks_requested] -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: checks: if: github.event_name != 'push' diff --git a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml index 9216813691a6..f59b3db5bc4b 100644 --- a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml +++ b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml @@ -7,7 +7,11 @@ on: - 'dotnet/**' env: BUILD_CONFIGURATION: Release # set this to the appropriate build configuration -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: build: environment: dotnet diff --git a/.github/workflows/openai.yml b/.github/workflows/openai.yml index eeeb4b11da78..11cef7e5c6f7 100644 --- a/.github/workflows/openai.yml +++ b/.github/workflows/openai.yml @@ -12,7 +12,11 @@ on: - 'notebook/agentchat_auto_feedback_from_code_execution.ipynb' - 'notebook/agentchat_function_call.ipynb' - '.github/workflows/openai.yml' -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: test: strategy: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index d9a53d079af0..79b5a33924da 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -9,7 +9,11 @@ on: # Trigger the workflow on pull request or merge defaults: run: shell: bash -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: pre-commit-check: diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 91951e7be61e..5ccfd77fd234 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -7,7 +7,11 @@ name: python-package on: release: types: [published] -permissions: read-all +permissions: + # actions: read + # checks: read + contents: read + # deployments: read jobs: deploy: strategy: From 7bebe3a2245ebc0380748cd33523a89f9b110ba8 Mon Sep 17 00:00:00 2001 From: Olaoluwa Salami Date: Mon, 15 Jan 2024 18:57:36 +0000 Subject: [PATCH 3/5] remove contents permissions --- .github/workflows/deploy-website.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index eba72bdf7184..df22b5e15180 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -16,10 +16,10 @@ on: workflow_dispatch: merge_group: types: [checks_requested] -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: checks: From 4b1e8c9e2368a91fe9e55f0cca1198b2196e1e9b Mon Sep 17 00:00:00 2001 From: Olaoluwa Salami Date: Mon, 15 Jan 2024 19:06:20 +0000 Subject: [PATCH 4/5] testing permisions --- .github/workflows/build.yml | 4 ++-- .github/workflows/contrib-openai.yml | 4 ++-- .github/workflows/contrib-tests.yml | 4 ++-- .github/workflows/dotnet-run-openai-test-and-notebooks.yml | 4 ++-- .github/workflows/openai.yml | 4 ++-- .github/workflows/pre-commit.yml | 4 ++-- .github/workflows/python-package.yml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1fc1adbe3d5b..4e2f9bd6153d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,10 +19,10 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: build: diff --git a/.github/workflows/contrib-openai.yml b/.github/workflows/contrib-openai.yml index 15dee33c71bd..3d15720331bf 100644 --- a/.github/workflows/contrib-openai.yml +++ b/.github/workflows/contrib-openai.yml @@ -11,10 +11,10 @@ on: - 'test/agentchat/contrib/**' - '.github/workflows/contrib-openai.yml' - 'setup.py' -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: RetrieveChatTest: diff --git a/.github/workflows/contrib-tests.yml b/.github/workflows/contrib-tests.yml index 25f7b020719b..4d0613e7cefb 100644 --- a/.github/workflows/contrib-tests.yml +++ b/.github/workflows/contrib-tests.yml @@ -15,10 +15,10 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: RetrieveChatTest: diff --git a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml index f59b3db5bc4b..2a2c97188abe 100644 --- a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml +++ b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml @@ -7,10 +7,10 @@ on: - 'dotnet/**' env: BUILD_CONFIGURATION: Release # set this to the appropriate build configuration -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: build: diff --git a/.github/workflows/openai.yml b/.github/workflows/openai.yml index 11cef7e5c6f7..10baabc247b8 100644 --- a/.github/workflows/openai.yml +++ b/.github/workflows/openai.yml @@ -12,10 +12,10 @@ on: - 'notebook/agentchat_auto_feedback_from_code_execution.ipynb' - 'notebook/agentchat_function_call.ipynb' - '.github/workflows/openai.yml' -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: test: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 79b5a33924da..18b23afd18e3 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -9,10 +9,10 @@ on: # Trigger the workflow on pull request or merge defaults: run: shell: bash -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 5ccfd77fd234..4f57c10ef706 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -7,10 +7,10 @@ name: python-package on: release: types: [published] -permissions: +permissions: {} # actions: read # checks: read - contents: read + # contents: read # deployments: read jobs: deploy: From 653a4ac0038d9e2f24b6254cb56ce9b73643cc38 Mon Sep 17 00:00:00 2001 From: Eric Zhu Date: Mon, 22 Jan 2024 00:05:07 -0800 Subject: [PATCH 5/5] Update deploy-website.yml permission block --- .github/workflows/deploy-website.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index df22b5e15180..9ca44150eed5 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -16,7 +16,8 @@ on: workflow_dispatch: merge_group: types: [checks_requested] -permissions: {} +permissions: + pages: write # actions: read # checks: read # contents: read