kou commented on issue #49729: URL: https://github.com/apache/arrow/issues/49729#issuecomment-4249480022
> * `.github/workflows/package_linux.yml` has `contents: write` at the workflow level — this should be scoped to the specific job that needs it. We can move https://github.com/apache/arrow/blob/4eca50770f7f2c5938a676f0719fbfc8aae4803c/.github/workflows/package_linux.yml#L67-L68 to https://github.com/apache/arrow/blob/4eca50770f7f2c5938a676f0719fbfc8aae4803c/.github/workflows/package_linux.yml#L79 for this. > The following workflows pass all secrets to reusable workflows via `secrets: inherit` instead of explicitly listing required secrets: > > * `.github/workflows/cpp_extra.yml` (2 instances) > > * `.github/workflows/cuda_extra.yml` (2 instances) > > * `.github/workflows/package_linux.yml` (2 instances) > > * `.github/workflows/python.yml` > > * `.github/workflows/r.yml` It seems that `python.yml` and `r.yml` doesn't have `secrets: inherit`. Other workflows use https://github.com/apache/arrow/blob/main/.github/workflows/check_labels.yml and https://github.com/apache/arrow/blob/main/.github/workflows/report_ci.yml . `check_labels` needs only `github.token`. `report_ci` needs only `github.token`, `secrets.ARROW_SMTP_PASSWORD` and `${{ secrets.ARROW_ZULIP_WEBHOOK }}`. So we can list them explicitly instead of using `secrets: inherit`. In general, minimum permissions/secrets are better but [the ASF GitHub Actions policy](https://infra.apache.org/github-actions-policy.html) doesn't require them. So these changes are not required. They are just better. If you can create a PR with generative AI, let's do them. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
