mirror of
https://github.com/facebook/rocksdb.git
synced 2024-11-28 05:43:50 +00:00
626eaa4189
Summary: This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows. GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows - https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ - https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token - The Open Source Security Foundation (OpenSSF) [Scorecards](https://github.com/ossf/scorecard) treats not setting token permissions as a high-risk issue This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security. Before the change: `GITHUB_TOKEN` has `write` permissions for multiple scopes, e.g. https://github.com/facebook/rocksdb/runs/7936368166?check_suite_focus=true#step:1:19 After the change: `GITHUB_TOKEN` will have minimum permissions needed for the jobs. Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> Pull Request resolved: https://github.com/facebook/rocksdb/pull/10549 Reviewed By: ajkr Differential Revision: D38923184 Pulled By: jay-zhuang fbshipit-source-id: 0c48f98fe90665e53724f57a7d3b01dd80f34a93
48 lines
1.2 KiB
YAML
48 lines
1.2 KiB
YAML
name: Check buck targets and code format
|
|
on: [push, pull_request]
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check:
|
|
name: Check TARGETS file and code format
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout feature branch
|
|
uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Fetch from upstream
|
|
run: |
|
|
git remote add upstream https://github.com/facebook/rocksdb.git && git fetch upstream
|
|
|
|
- name: Where am I
|
|
run: |
|
|
echo git status && git status
|
|
echo "git remote -v" && git remote -v
|
|
echo git branch && git branch
|
|
|
|
- name: Setup Python
|
|
uses: actions/setup-python@v1
|
|
|
|
- name: Install Dependencies
|
|
run: python -m pip install --upgrade pip
|
|
|
|
- name: Install argparse
|
|
run: pip install argparse
|
|
|
|
- name: Download clang-format-diff.py
|
|
uses: wei/wget@v1
|
|
with:
|
|
args: https://raw.githubusercontent.com/llvm/llvm-project/release/12.x/clang/tools/clang-format/clang-format-diff.py
|
|
|
|
- name: Check format
|
|
run: VERBOSE_CHECK=1 make check-format
|
|
|
|
- name: Compare buckify output
|
|
run: make check-buck-targets
|
|
|
|
- name: Simple source code checks
|
|
run: make check-sources
|