-
Notifications
You must be signed in to change notification settings - Fork 859
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define top level Permission for fossa.yml (FOSSA) workflow #5080
Define top level Permission for fossa.yml (FOSSA) workflow #5080
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5080 +/- ##
=========================================
Coverage ? 28.21%
=========================================
Files ? 632
Lines ? 43568
Branches ? 0
=========================================
Hits ? 12294
Misses ? 30378
Partials ? 896
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
.github/workflows/fossa.yml
Outdated
|
||
permissions: | ||
contents: read # Required by actions/checkout@v4 to fetch the repository contents. | ||
security-events: write # Required by fossas/fossa-action@v1 to upload scan results. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
security-events: write # Required by fossas/fossa-action@v1 to upload scan results. |
Please confirm whether the action fossas/fossa-action@v1
requires the permission security-events: write
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhzhuang-zju after using the StepSecurity's online tool for this workflow.
The following was the output
name: FOSSA
on:
push:
# Exclude branches created by Dependabot to avoid triggering current workflow
# for PRs initiated by Dependabot.
branches-ignore:
- 'dependabot/**'
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
fossa:
name: FOSSA
# prevent job running from forked repository, otherwise
# 1. running on the forked repository would fail as missing necessary secret.
# 2. running on the forked repository would use unnecessary GitHub Action time.
if: ${{ github.repository == 'karmada-io/karmada' }}
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run FOSSA scan and upload build data
uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
with:
api-key: ${{secrets.FOSSA_API_KEY}}
I think security-events: write is not needed for this workflow.
Signed-off-by: aditya7302 <aditya7302@gmail.com>
0e34e9f
to
5dc7fca
Compare
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Part of #5048
Special notes for your reviewer:
Does this PR introduce a user-facing change?: