Re: [PR] [CI] gha: set default workflow permissions [sedona]

via GitHub Fri, 06 Jun 2025 14:02:18 -0700


jbampton commented on PR #1976:
URL: https://github.com/apache/sedona/pull/1976#issuecomment-2950785087


   zizmor is a static analysis tool for GitHub Actions. It can find many common 
security issues in typical GitHub Actions CI/CD setups.  So I ran zizmor here 
and it found that we did not have our permissions set on these workflows.
   
   https://github.com/zizmorcore/zizmor
   
   refs #1977 
   
   The other workflows that I did not modify already had:
   
   ```
   permissions:
     contents: read
   ```
   
   This is the example from zizmor:
   
   ![Screenshot from 2025-06-07 
06-47-33](https://github.com/user-attachments/assets/80bf52ae-3666-4393-a595-f3d3635abf53)
   
   So you can compare this PR to another previous PR and see the difference in 
the permissions.
   
   ## This PR:
   
   ![Screenshot from 2025-06-07 
06-53-37](https://github.com/user-attachments/assets/ce8e9b2b-2ae8-4f99-8484-d767d2a0420d)
   
   ## Another previous PR:
   
   ![Screenshot from 2025-06-07 
06-56-12](https://github.com/user-attachments/assets/f30cc611-2d33-4962-84e7-a7d3d8c4909e)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [CI] gha: set default workflow permissions [sedona]

Reply via email to