From edeca0a4fca3168c1f6e7cbe8fe5022e7aeec875 Mon Sep 17 00:00:00 2001 From: Scott Addie <10702007+scottaddie@users.noreply.github.com> Date: Mon, 29 Jul 2024 09:03:24 -0500 Subject: [PATCH 1/2] Update line numbers for Azure SDK DI doc (#41925) --- docs/azure/sdk/dependency-injection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/azure/sdk/dependency-injection.md b/docs/azure/sdk/dependency-injection.md index a5069d0166f8a..e5fab40e25b58 100644 --- a/docs/azure/sdk/dependency-injection.md +++ b/docs/azure/sdk/dependency-injection.md @@ -50,7 +50,7 @@ In the *Program.cs* file, invoke the Date: Mon, 29 Jul 2024 10:26:32 -0400 Subject: [PATCH 2/2] Apply the principle of least privilege to our GitHub action tokens (#41911) * Update token permissions Use `pull_request_target` where possible. Specify job-level permissions of `contents: read` where possible. Remove unused job-specific permissions. * Delete try-verifier-fix. It's not running, and it has elevated perms. * fixing perms --- .../workflows/check-for-build-warnings.yml | 11 +--- .github/workflows/clean-repo.yml | 1 - .github/workflows/docs-verifier-tryfix.yml | 56 ------------------- .github/workflows/docs-verifier.yml | 4 ++ .github/workflows/live-protection.yml | 5 +- .github/workflows/rebase-needed.yml | 2 +- 6 files changed, 12 insertions(+), 67 deletions(-) delete mode 100644 .github/workflows/docs-verifier-tryfix.yml diff --git a/.github/workflows/check-for-build-warnings.yml b/.github/workflows/check-for-build-warnings.yml index 33e7a923b4412..2c7d95a4380ec 100644 --- a/.github/workflows/check-for-build-warnings.yml +++ b/.github/workflows/check-for-build-warnings.yml @@ -1,7 +1,7 @@ name: 'OPS status checker' on: - pull_request_target: + pull_request: types: [opened, synchronize, reopened] permissions: @@ -12,19 +12,14 @@ jobs: name: Look for build warnings runs-on: ubuntu-latest permissions: - statuses: write - issues: write - pull-requests: write + statuses: read + pull-requests: read steps: - name: Harden Runner uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: dotnet/docs-tools/actions/status-checker@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main with: repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/clean-repo.yml b/.github/workflows/clean-repo.yml index 00569c409e21b..c33205c718fc8 100644 --- a/.github/workflows/clean-repo.yml +++ b/.github/workflows/clean-repo.yml @@ -13,7 +13,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: write - issues: write pull-requests: write steps: diff --git a/.github/workflows/docs-verifier-tryfix.yml b/.github/workflows/docs-verifier-tryfix.yml deleted file mode 100644 index 0e23b8c5e4272..0000000000000 --- a/.github/workflows/docs-verifier-tryfix.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: MSDocs build verifier - tryfix -on: - issue_comment: - types: [created] - -permissions: - contents: read - -jobs: - tryfix: - if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/tryfix') - name: Try fix build - runs-on: ubuntu-latest - permissions: write-all - env: - IS_TRY_FIX: true # differentiates /tryfix from the validation-only run. - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea - id: get-pr - with: - script: | - const request = { - owner: context.repo.owner, - repo: context.repo.repo, - pull_number: context.issue.number - } - core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`) - try { - const result = await github.pulls.get(request) - return result.data - } catch (err) { - core.setFailed(`Request failed with error ${err}`) - } - - name: Checkout the repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Checkout Pull Request - run: | - hub pr checkout ${{ github.event.issue.number }} - - - name: Tryfix - uses: dotnet/docs-actions/actions/docs-verifier@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main - - - name: Push changes - run: | - git config --global user.name github-actions - git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com - git remote add fork https://github.com/${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} - git commit -am "Automated: Fix links" - git push -u fork ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} diff --git a/.github/workflows/docs-verifier.yml b/.github/workflows/docs-verifier.yml index df77f87872e75..237dfe465a7b5 100644 --- a/.github/workflows/docs-verifier.yml +++ b/.github/workflows/docs-verifier.yml @@ -1,5 +1,9 @@ name: MSDocs build verifier on: pull_request + +permissions: + contents: read + env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/live-protection.yml b/.github/workflows/live-protection.yml index 2020b2b550e90..026123e142acb 100644 --- a/.github/workflows/live-protection.yml +++ b/.github/workflows/live-protection.yml @@ -1,4 +1,7 @@ -on: [pull_request_target] +on: [pull_request] + +permissions: + contents: read jobs: comment: diff --git a/.github/workflows/rebase-needed.yml b/.github/workflows/rebase-needed.yml index 052e4789d98f3..6fb693c97ed0c 100644 --- a/.github/workflows/rebase-needed.yml +++ b/.github/workflows/rebase-needed.yml @@ -2,7 +2,7 @@ name: "rebase required" on: push: - pull_request_target: + pull_request: types: [synchronize] permissions: