arpitjain099 commented on PR #63573:
URL: https://github.com/apache/doris/pull/63573#issuecomment-4597767369
Thanks @hello-stephen, this is a great review. You traced the action sources
exactly right, and you're correct that three of the four would have regressed.
I have narrowed the PR rather than declaring the write scopes myself:
- `clang-format.yml` keeps workflow-level `contents: read` (no token API
calls, as you noted).
- `title-checker.yml` now declares `contents: read` plus `pull-requests:
read`, since `action-pr-title` calls `pulls.get()`. Both are read scopes, so
nothing is granted write.
- `lfs-warning.yml` and `license-eyes.yml` are dropped from this PR. Their
actions write back to the PR (`issues: write` and `pull-requests: write`
respectively), and I would rather not introduce write scopes from an outside
contribution. They are easy to harden with the exact blocks you listed whenever
a maintainer wants to:
```yaml
# lfs-warning.yml
permissions:
contents: read
pull-requests: read
issues: write
# license-eyes.yml
permissions:
contents: read
pull-requests: write
```
So this PR is now just the two safe, read-only declarations. Let me know if
you'd prefer I fold the other two back in with those scopes instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
