CI: Add PR write permissions to artifact redirector. #22567
Merged
+2
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Re-enable the circleci artifact redirector action which was disabled when permissions were added to the workflow. Note: permissions added at the job level rather than the workflow level reflecting recommended security practices. [skip github] [skip travis] [skip azp]
|
Thanks @rossbar, let's give it a try |
|
Looking at #22566 it looks like it didn't work, right? Might be worth enabling debugging to see what the problem is |
|
tried close/reopen there, but should probably wait for the next PR coming in (or open a dummy one for testing). That one is older than this one. |
|
I guess the log is this, but not helpful? Do you really have to add that secret for all workflows? |
|
Nowadays via the GitHub UI you can also individually run failed workflows with debugging turned on after they fail I think Maybe the is not broad enough? |
|
@larsoner the workflow doesn't seem to fail? It just doesn't show up? |
|
Ah, there is a debug button in the rerun though, so here you go (can't say I see anything suspicious): |
By "it" in the "doesn't show up", you mean the status update pointing to the artifact? I think this implies that it is failing in some way, even if the action shows up green in your list. In particular I'm worried about this stuff: https://github.com/larsoner/circleci-artifacts-redirector-action/blob/master/dist/index.js#L26670 To me this looks like it tried to post the request to make a status update and it was rejected, but node did not raise an error so the action completes "successfully". See for example actions/first-interaction#10. This is why I think it might still be a permissions issue... |
|
Yes, I mean it shows as green and run successful in the logs, but "doesn't show up" in the PR status. OK, that makes sense... then I guess it is more trial and error about the permissions... |
|
FWIW I haven't had to do this for other repos like MNE-Python. But maybe your actions permissions are by default more strict somehow? |
Yeah there was a recent PR #22367 to add permissions to workflows as a general security best-practice, though this may also be part of the new OpenSSF scorecard (#22482) as well. In any case - in the short term we could get the redirector action back by removing the permissions from the workflow entirely (as was done temporarily for the labeler action). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Re-enable the circleci artifact redirector action which was disabled when permissions were added to the workflow. Note: permissions added at the job level rather than the workflow level reflecting recommended security practices.
I'm not exactly sure which permissions are required, @larsoner any ideas here? The github docs on workflow permissions are here.