diogoteles08 commented on issue #36898:
URL: https://github.com/apache/arrow/issues/36898#issuecomment-1707168802
> Hm I was under the impression that merging a pr would also require
`contents:write` but I might be mistaken.
Actually I think you are right, the endpoint `PUT
/repos/{owner}/{repo}/pulls/{pull_number}/merge` that I mentioned is on this
[list of
endpoints](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents)
protected by the `contents: write` permission. My misunderstanding, sorry.
In any way, [github
documentation](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-pull-requests)
lists the endpoints to
[approve](https://docs.github.com/en/rest/pulls/reviews?apiVersion=2022-11-28#create-a-review-for-a-pull-request)
and [update a
PR](https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#update-a-pull-request)
as protected only by the `pull-requests: write` permissions and they could
also be maliciously abused, so I think the changes are still valid.
If you still don't oppose to it, I'll soon raise one first PR hash-pinning
the actions called with `pull-requests: write` and any action that is called in
a context that uses secrets (which I realized it's the case for
[cpp.yml](https://github.com/apache/arrow/blob/main/.github/workflows/cpp.yml#L117),
for example), and then another PR hash-pinning the pip dependencies -- it
won't affect local development, should only impact the CI pipelines.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
