Re: [PR] ci: declare workflow-level `contents: read` on 4 PR-time check workflows [doris]

Mon, 01 Jun 2026 02:47:22 -0700 


github-actions[bot] commented on code in PR #63573:
URL: https://github.com/apache/doris/pull/63573#discussion_r3333163037


##########
.github/workflows/lfs-warning.yml:
##########
@@ -20,6 +20,9 @@ name: 'Check Large File'
 
 on: [push, pull_request_target]
 
+permissions:
+  contents: read

Review Comment:
   This workflow still passes `secrets.GITHUB_TOKEN` to `ppremk/lfs-warning`, 
and that action is not read-only: it calls `issues.addLabels`, 
`issues.createComment`, `issues.removeLabel`, and may create the warning label. 
With a workflow-level `permissions` block, every unspecified scope is set to 
`none`, so `contents: read` removes the issue/label write permission that the 
large-file path depends on. A PR that adds a file over the limit will now fail 
with `Resource not accessible by integration` instead of adding the warning 
label/comment. Please keep least privilege but include the scopes this action 
needs, e.g. `pull-requests: read` plus `issues: write` (and `contents: read` 
for checkout/blob reads).



##########
.github/workflows/title-checker.yml:
##########
@@ -22,6 +22,9 @@ on:
   pull_request:
     types: [ opened, edited ]
 
+permissions:

Review Comment:
   `action-pr-title` uses the provided `github_token` to call 
`client.rest.pulls.get(...)` because it intentionally refreshes the PR title 
from the API. After adding a workflow-level permissions block, unspecified 
scopes are `none`, so this job no longer grants Pull Requests read permission 
to that API call. Please add `pull-requests: read` here (keeping `contents: 
read` if checkout still needs it) so title checks continue to work with least 
privilege.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to