Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set the permissions required for job in ci-image-scanning.yaml #5119

Merged
merged 1 commit into from
Jul 2, 2024
Merged

set the permissions required for job in ci-image-scanning.yaml #5119

merged 1 commit into from
Jul 2, 2024

Conversation

zhzhuang-zju
Copy link
Contributor

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
refer to #5048 (comment), set the permissions required for the job in ci-image-scanning.yaml

Which issue(s) this PR fixes:
Parts of #5048

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

@zhzhuang-zju
set the permissions required for the job in ci-image-scanning.yaml
9d73721 
Signed-off-by: zhzhuang-zju <m17799853869@163.com>
@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Jul 2, 2024
@karmada-bot karmada-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 2, 2024
@codecov-commenter
Copy link

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 28.21%. Comparing base (011db83) to head (9d73721).
Report is 2 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #5119   +/-   ##
=======================================
  Coverage   28.20%   28.21%           
=======================================
  Files         632      632           
  Lines       43571    43571           
=======================================
+ Hits        12289    12293    +4     
+ Misses      30384    30382    -2     
+ Partials      898      896    -2
Flag Coverage Δ
unittests 28.21% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

liangyuanpeng
liangyuanpeng reviewed Jul 2, 2024
View reviewed changes
.github/workflows/ci-image-scanning.yaml
Comment on lines +12 to +13
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
Copy link
Contributor

@liangyuanpeng liangyuanpeng Jul 2, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little hesitant about this, it will only distract we, especially since this have only one job.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change here is actually due to two considerations:

  • Avoid top-level permissions inheriting to job-level, making job-level permissions too large. This is because the permissions needed for different jobs can vary greatly. A good practice is: setting as read-only at the top level and the required write permissions are declared at the run-level
  • refer to https://scorecard.dev/viewer/?uri=github.com/karmada-io/karmada, it's not recommended that topLevel 'security-events' permission set to 'write'.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for explain, it's make sense for me.
/lgtm
/approve

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2024
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liangyuanpeng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2024
@karmada-bot karmada-bot merged commit 8e54677 into karmada-io:master Jul 2, 2024
12 checks passed
@RainbowMango RainbowMango added this to the v1.11 milestone Jul 2, 2024
@zhzhuang-zju zhzhuang-zju mentioned this pull request Jul 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liangyuanpeng liangyuanpeng liangyuanpeng left review comments

@jwcesign jwcesign Awaiting requested review from jwcesign

Assignees

@liangyuanpeng liangyuanpeng

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.11
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@zhzhuang-zju @codecov-commenter @karmada-bot @liangyuanpeng @RainbowMango