[CI] Limit Pages write permissions to deploy job#839
Conversation
aobolensk
force-pushed
the
write-perm-limit
branch
from
7b7c71d to
f97f897
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7b7c71d59c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| permissions: | ||
| id-token: write | ||
| pages: write |
There was a problem hiding this comment.
Because .github/workflows/main.yml calls this reusable workflow without a permissions override, leaving this workflow with no top-level permissions makes the three build jobs inherit the repo/org default GITHUB_TOKEN permissions. In installations where Actions is still configured for read/write defaults, that includes pages: write, so the checkout/build/upload jobs retain the Pages write privilege this change is trying to confine to deploy-pages; keep a top-level read-only baseline such as contents: read and override only this deploy job for Pages/OIDC.
Useful? React with 👍 / 👎.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #839 +/- ##
=======================================
Coverage 90.63% 90.63%
=======================================
Files 15 15
Lines 491 491
Branches 183 183
=======================================
Hits 445 445
Misses 8 8
Partials 38 38 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
1 participant
No description provided.