New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(ci): Fix potential github action smells #29416
Conversation
|
- Avoid running CI related actions when no source code has changed - Use permissions whenever using Github Token - Avoid executing scheduled workflows on forks
386774b
to
4f2d47e
Compare
@@ -13,6 +13,7 @@ jobs: | |||
FOSSA_API_KEY: ${{secrets.FOSSAAPIKEY}} | |||
repo-token: ${{ secrets.GITHUB_TOKEN }} | |||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |||
permissions: {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ceddy4395 We need to specify the permissions we want here right? What happens if this object is empty? https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the permissions are empty, the GITHUB_TOKEN
and 'external' actions will have no permissions at all.
I assumed this would not be a problem looking at the workflow, however could you confirm what the ${{ github.event.release.upload_url }}
usually points to? If this points to github somehow, we might need to add the correct permission for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are examples of the urls: e2dcf53#commitcomment-141413214
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes I see where it gets uploaded, I've added contents: write
to the permission which will allow the uploading.
Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com>
* chore(ci): fix gha smells - Avoid running CI related actions when no source code has changed - Use permissions whenever using Github Token - Avoid executing scheduled workflows on forks * Fix typo in 'if' statement for gha workflow Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com> * Add contents write permissions to upload_release_asset --------- Co-authored-by: Jennifer Shehane <shehane.jennifer@gmail.com> Co-authored-by: Jennifer Shehane <jennifer@cypress.io>
Hey! 馃檪
I want to contribute the following changes to your workflow:
Avoid running CI related actions when no source code has changed
Use permissions whenever using Github Token
Avoid executing scheduled workflows on forks
Closes N/A
Additional details
These changes are part of a research Study at TU Delft looking at GitHub Action Smells. Find out more
Steps to test
N/A
How has the user experience changed?
N/A
PR Tasks
cypress-documentation
?type definitions
?