llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT--> @llvm/pr-subscribers-github-workflow Author: None (llvmbot) <details> <summary>Changes</summary> Backport ef50970204384643acca42ba4c7ca8f14865a0c2 Requested by: @<!-- -->tstellar --- Full diff: https://github.com/llvm/llvm-project/pull/106821.diff 1 Files Affected: - (modified) .github/workflows/release-binaries-save-stage/action.yml (+6) ``````````diff diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml index e2f3eeadd15bea..f08088c7bc56f1 100644 --- a/.github/workflows/release-binaries-save-stage/action.yml +++ b/.github/workflows/release-binaries-save-stage/action.yml @@ -10,6 +10,9 @@ inputs: required: true type: 'string' +permissions: + contents: read + runs: using: "composite" steps: @@ -18,6 +21,9 @@ runs: - name: Package Build and Source Directories shell: bash run: | + # Remove .git/config to avoid leaking GITHUB_TOKEN stored there. + # See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/ + rm -Rf .git/config # Windows does not support symlinks, so we need to dereference them. tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst mv ../llvm-project.tar.zst . `````````` </details> https://github.com/llvm/llvm-project/pull/106821 _______________________________________________ llvm-branch-commits mailing list llvm-branch-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-branch-commits
