ppkarwasz opened a new pull request, #421: URL: https://github.com/apache/logging-parent/pull/421
This update limits the `GITHUB_TOKEN` permissions granted to reusable workflows, ensuring they operate with only the permissions strictly necessary for their function. Although GitHub ensures that reusable workflows cannot exceed the permissions granted by the calling workflow, [GitHub documentation](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions) recommends that they explicitly declare the minimal permissions they require. This practice helps prevent misuse in scenarios where a caller might over-provision permissions. #### 🔐 Updated Permissions by Workflow: - **`contents: write`** Required only by: - `deploy-release-reusable` - `deploy-site-reusable` These workflows need write access to push changes to Git branches. For all other workflows, we now explicitly set `contents: none`. - **`security-events: write`** Required only by: - `codeql-analysis-reusable` - `scorecards-analysis-reusable` These workflows need this permission to upload security scanning results. By scoping permissions tightly, we improve our workflows’ security posture without impacting functionality. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
