Josh Soref effb58fc63 infra/workflow: Reduce workflow permissions ... By explicitly listing the permissions required in general, repositories without restrictive permissions will only allocate the specified permissions which is much safer than the default, fairly wide, permissions grant. Most workflows don't appear to need any permissions beyond `contents: read` which is required for checkout (when a repository is private). By specifying this permission, it tells GitHub not to include any of its additional default permissions (when a repository is configured permissively). The .github/workflows/memcheck_*.sh scripts called by build_ubuntu.yml require write permissions in order to post their output to a pull request (as a comment). In locked down GitHub repositories, unless a workflow/job asks for write permissions, it will not have them and such API calls will result in: { "message": "Resource not accessible by integration", "documentation_url": "https://docs.github.com/rest/issues/comments#create-an-issue-comment", "status": "403" } By specifically requesting the permissions, the workflow will continue to work as expected.		2024-07-03 13:17:10 +09:00
..
workflows	infra/workflow: Reduce workflow permissions	2024-07-03 13:17:10 +09:00
FUNDING.yml	infra: added open_collective fund account	2024-03-03 19:54:20 +09:00