Skip to content

Add read-only token permissions#490

Merged
discordianfish merged 1 commit intoprometheus:mainfrom
pnacht:fix_token_permissions
Sep 13, 2023
Merged

Add read-only token permissions#490
discordianfish merged 1 commit intoprometheus:mainfrom
pnacht:fix_token_permissions

Conversation

@pnacht
Copy link
Contributor

@pnacht pnacht commented May 22, 2023

Fixes prometheus/prometheus#12379.

As mentioned there, this PR ensures the golangci-lint workflow always runs with read-only permissions, protecting the projects that use it from supply-chain attacks.

This PR was originally submitted as prometheus/procfs#525, but following @discordianfish's suggestion there, I'm re-submitting it here.

@pnacht
Add read-only token permissions
ace016f 
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
discordianfish
discordianfish approved these changes May 23, 2023
View reviewed changes
Copy link
Member

@discordianfish discordianfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@pnacht
Copy link
Contributor Author

pnacht commented Aug 25, 2023

Hey, are there any changes you'd like to see on this policy?

@discordianfish
Copy link
Member

discordianfish commented Sep 6, 2023

Technically @roidelapluie needs to approve this first

@roidelapluie
Copy link
Member

roidelapluie commented Sep 6, 2023

LGTM

@discordianfish discordianfish merged commit 86487d4 into prometheus:main Sep 13, 2023
@pnacht
Copy link
Contributor Author

pnacht commented Sep 13, 2023
edited
Loading

Thanks for merging this! However, I just noticed that golangci-lint.yml exists both here in prometheus/common and in prometheus/prometheus/scripts.

Also, the prometheus/prometheus version seems to be more up-to-date than this one (it runs Go 1.54.2, while here it's on 1.51.2, for example).

I also noticed that prometheus/procfs just received an update to its golangci-lint.yml taken from prometheus/prometheus. Should I repeat this PR over there?

@discordianfish
Copy link
Member

discordianfish commented Sep 14, 2023

Uhmm.. good question, I assumed this is the source of truth but might be out of the loop a bit - @roidelapluie?

@pnacht pnacht mentioned this pull request Sep 15, 2023
Closed
@renovate renovate bot mentioned this pull request Aug 10, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@discordianfish discordianfish discordianfish approved these changes

Assignees

@roidelapluie roidelapluie

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Set read-only workflow permissions

3 participants

@pnacht @discordianfish @roidelapluie