ci: add top-level permissions for least-privilege security#3540
ci: add top-level permissions for least-privilege security#3540Ankitsinghsisodya wants to merge 2 commits intoknative:mainfrom
Conversation
The job defines a matrix with ubuntu-latest (x86_64) and ubuntu-24.04-arm (ARM64) but runs-on was hardcoded to ubuntu-latest, so both matrix entries ran on x86_64. Use the matrix value so ARM64 tests actually run on ARM hardware. Fixes knative#3537
Add `permissions: contents: read` to the test-podman-next workflow to restrict the default GITHUB_TOKEN to read-only access. Fixes knative#3539
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Ankitsinghsisodya The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @Ankitsinghsisodya. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
knative-prow
bot
added
size/XS
There was a problem hiding this comment.
Pull request overview
This PR aims to tighten GitHub Actions security by applying least-privilege GITHUB_TOKEN permissions, while also adjusting an existing workflow job to actually use its OS matrix.
Changes:
- Add top-level
permissions: contents: readto thetest-podman-nextscheduled workflow. - Update the
Functionsworkflow’stest-e2e-podmanjob to run on${{ matrix.os }}(so the ARM64 matrix entry is used).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/test-podman-next.yaml |
Restricts default token permissions to contents: read at workflow scope. |
.github/workflows/functions.yaml |
Makes test-e2e-podman actually run per matrix.os instead of always ubuntu-latest. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| needs: precheck | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| os: | ||
| - "ubuntu-latest" # x86_64 | ||
| - "ubuntu-24.04-arm" # ARM64 | ||
| runs-on: ${{ matrix.os }} |
There was a problem hiding this comment.
The PR description/test plan says this is a no-functional-change update to add least-privilege permissions for test-podman-next.yaml, but this diff also changes the test-e2e-podman job to run on matrix.os (enabling the ARM64 runner entry in the matrix). Please update the PR description (and test plan) to reflect this additional CI behavior change, or split it into a separate PR if it’s unrelated to #3539.
Summary
permissions: contents: readtotest-podman-next.yamlto restrict the default GITHUB_TOKEN to read-only access, following the principle of least privilege.Fixes #3539
Test plan