hello-stephen commented on PR #63573:
URL: https://github.com/apache/doris/pull/63573#issuecomment-4593153050
Thanks for the PR! The security intent is correct and the change is minimal.
However, after reviewing the actual source code of the actions used, **3 of the
4 workflows will break** with only `contents: read` declared:
**`title-checker.yml` — breaks on every run**
`deepakputhraya/action-pr-title` calls `client.rest.pulls.get()`, which
requires `pull-requests: read`. With that permission implicitly set to `none`,
every PR title check will 403.
**`lfs-warning.yml` — breaks when a large file is detected**
`ppremk/lfs-warning` calls `octokit.rest.issues.createComment()`,
`issues.addLabels()`, and `pulls.listFiles()`, requiring `issues: write` +
`pull-requests: read`. The workflow silently fails exactly when it matters most.
**`license-eyes.yml` — breaks when a license violation is found**
`apache/skywalking-eyes` uses the token to comment on the PR when violations
are detected (documented in its `action.yml`). That needs `pull-requests:
write`.
**`clang-format.yml`** is fine — no token API calls involved.
Suggested fix:
```yaml
# title-checker.yml
permissions:
contents: read
pull-requests: read
# lfs-warning.yml
permissions:
contents: read
pull-requests: read
issues: write
# license-eyes.yml
permissions:
contents: read
pull-requests: write
```
Only `clang-format.yml` is correct as-is. The other three need the scopes
above to preserve existing behavior.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
