ci: declare contents: read on check-api-docs and check#796
Conversation
- check-api-docs.yml verifies that generated API docs match source. - check.yml runs the KEP TOC update/verify scripts on docs changes. Neither writes to GitHub; both only run local make/scripts. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
✅ Deploy Preview for agent-sandbox canceled.
|
|
Welcome @arpitjain099! |
|
Hi @arpitjain099. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Pull request overview
This PR tightens GitHub Actions security posture by explicitly setting the default GITHUB_TOKEN permission to contents: read for the two CI workflows that only need to checkout and run local verification commands (API doc generation check and KEP TOC check).
Changes:
- Add workflow-level
permissions: contents: readto.github/workflows/check.yml. - Add workflow-level
permissions: contents: readto.github/workflows/check-api-docs.yml.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/check.yml | Declares contents: read at the workflow level for the TOC verification workflow. |
| .github/workflows/check-api-docs.yml | Declares contents: read at the workflow level for the API docs generation/verification workflow. |
fb84df8 to
e78e78e
Compare
|
Thanks @arpitjain099 /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: arpitjain099, barney-s The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/ok-to-test |
…gs#796) - check-api-docs.yml verifies that generated API docs match source. - check.yml runs the KEP TOC update/verify scripts on docs changes. Neither writes to GitHub; both only run local make/scripts. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
…gs#796) - check-api-docs.yml verifies that generated API docs match source. - check.yml runs the KEP TOC update/verify scripts on docs changes. Neither writes to GitHub; both only run local make/scripts. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Adds an explicit
permissions: contents: readblock to the two CI workflows that hadn't declared their token scope. Both only run local make/script commands to verify generated docs and KEP table-of-contents.YAML validated locally.