-
Notifications
You must be signed in to change notification settings - Fork 859
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set the permissions required for job in ci-image-scanning.yaml #5119
Conversation
Signed-off-by: zhzhuang-zju <m17799853869@163.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5119 +/- ##
=======================================
Coverage 28.20% 28.21%
=======================================
Files 632 632
Lines 43571 43571
=======================================
+ Hits 12289 12293 +4
+ Misses 30384 30382 -2
+ Partials 898 896 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
permissions: | ||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little hesitant about this, it will only distract we, especially since this have only one job.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change here is actually due to two considerations:
- Avoid top-level permissions inheriting to job-level, making job-level permissions too large. This is because the permissions needed for different jobs can vary greatly. A good practice is: setting as read-only at the top level and the required write permissions are declared at the run-level
- refer to https://scorecard.dev/viewer/?uri=github.com/karmada-io/karmada, it's not recommended that topLevel 'security-events' permission set to 'write'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for explain, it's make sense for me.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liangyuanpeng The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
refer to #5048 (comment), set the permissions required for the job in ci-image-scanning.yaml
Which issue(s) this PR fixes:
Parts of #5048
Special notes for your reviewer:
Does this PR introduce a user-facing change?: