Skip to content

ci: set top-level permissions for antithesis-verify workflow#21470

Open
gaganhr94 wants to merge 1 commit intoetcd-io:mainfrom
gaganhr94:fix/token-permissions
Open

ci: set top-level permissions for antithesis-verify workflow#21470
gaganhr94 wants to merge 1 commit intoetcd-io:mainfrom
gaganhr94:fix/token-permissions

Conversation

@gaganhr94
Copy link

@gaganhr94 gaganhr94 commented Mar 11, 2026
edited
Loading

Summary

Add explicit permissions: contents: read at the workflow level in .github/workflows/antithesis-verify.yml to restrict the default GITHUB_TOKEN to read-only access, following the principle of least privilege.

Fixes #21469

Changes

  • Added top-level permissions: contents: read to the antithesis-verify.yml workflow

Why

The OpenSSF Scorecard Token-Permissions check flagged this workflow for not defining top-level permissions:

Warn: no topLevel permission defined: .github/workflows/antithesis-verify.yml:1

This change improves the repository's OpenSSF Scorecard score with no functional impact, as the workflow only checks out code and runs local Docker builds.

@gaganhr94
ci: set top-level permissions for antithesis-verify workflow
1dfb93d 
Add explicit `permissions: contents: read` at the workflow level to
restrict the default GITHUB_TOKEN to read-only access, following the
principle of least privilege.

This addresses the OpenSSF Scorecard Token-Permissions warning for
.github/workflows/antithesis-verify.yml.

Signed-off-by: Gagan H R <hrgagan4@gmail.com>
@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 11, 2026

Hi @gaganhr94. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the github_actions Pull requests that update GitHub Actions code label Mar 11, 2026
@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 11, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gaganhr94
Once this PR has been reviewed and has the lgtm label, please assign ivanvc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gaganhr94
Copy link
Author

gaganhr94 commented Mar 11, 2026

/ok-to-test

@k8s-ci-robot
Copy link

k8s-ci-robot commented Mar 11, 2026

@gaganhr94: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gaganhr94
Copy link
Author

gaganhr94 commented Mar 11, 2026

/assign @ivanvc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ivanvc ivanvc

Labels

github_actions Pull requests that update GitHub Actions code needs-ok-to-test size/XS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: fix excessive GitHub workflow token permissions

3 participants

@gaganhr94 @k8s-ci-robot @ivanvc