Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add read-only token permissions #490

Merged
merged 1 commit into from Sep 13, 2023
Merged

Add read-only token permissions #490

merged 1 commit into from Sep 13, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented May 22, 2023

Fixes prometheus/prometheus#12379.

As mentioned there, this PR ensures the golangci-lint workflow always runs with read-only permissions, protecting the projects that use it from supply-chain attacks.

This PR was originally submitted as prometheus/procfs#525, but following @discordianfish's suggestion there, I'm re-submitting it here.

@pnacht
Add read-only token permissions
ace016f 
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
discordianfish
discordianfish approved these changes May 23, 2023
View reviewed changes
Copy link
Member

@discordianfish discordianfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@pnacht
Copy link
Contributor Author

pnacht commented Aug 25, 2023

Hey, are there any changes you'd like to see on this policy?

@discordianfish
Copy link
Member

Technically @roidelapluie needs to approve this first

@roidelapluie
Copy link
Member

LGTM

@discordianfish discordianfish merged commit 86487d4 into prometheus:main Sep 13, 2023
7 checks passed
@pnacht
Copy link
Contributor Author

pnacht commented Sep 13, 2023
edited

Thanks for merging this! However, I just noticed that golangci-lint.yml exists both here in prometheus/common and in prometheus/prometheus/scripts.

Also, the prometheus/prometheus version seems to be more up-to-date than this one (it runs Go 1.54.2, while here it's on 1.51.2, for example).

I also noticed that prometheus/procfs just received an update to its golangci-lint.yml taken from prometheus/prometheus. Should I repeat this PR over there?

@discordianfish
Copy link
Member

Uhmm.. good question, I assumed this is the source of truth but might be out of the loop a bit - @roidelapluie?

@pnacht pnacht mentioned this pull request Sep 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@discordianfish discordianfish discordianfish approved these changes

Assignees

@roidelapluie roidelapluie

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set read-only workflow permissions
3 participants
@pnacht @discordianfish @roidelapluie