CharlieMCY opened a new issue, #10557: URL: https://github.com/apache/rocketmq/issues/10557
### Summary The default branch already hardened `.github/workflows/bazel.yml` against the issue(s) below, but **4** release branches still carry it. This proposes the same, minimal, scanner-verified fix for each. ### What's flagged (by [zizmor](https://github.com/woodruffw/zizmor)) - `excessive-permissions` — workflow/job granted broader `permissions` than needed Already resolved on the default branch in: - https://github.com/apache/rocketmq/commit/18f5f28af5c908d2d9986bbd824f237be9baf5e9 ### Affected release branches (4) - **`release-5.4.0`** (still present as of HEAD `b5da00ad`) - **`release-5.3.4`** (still present as of HEAD `63d20eb9`) - **`release-5.3.3`** (still present as of HEAD `29d90a4f`) - **`release-5.3.2`** (still present as of HEAD `2baaf044`) ### Suggested per-branch patches Each diff below was checked locally with **zizmor** and **actionlint**: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.) <details> <summary><code>release-5.4.0</code> — excessive-permissions</summary> File `.github/workflows/bazel.yml`; suggested edits: - + permissions.actions = 'write' ```diff --- a/.github/workflows/bazel.yml +++ b/.github/workflows/bazel.yml @@ -21,3 +21,5 @@ run: bazel build --config=remote //... - name: Run Tests run: bazel test --config=remote //... +permissions: + actions: write ``` </details> <details> <summary><code>release-5.3.4</code> — excessive-permissions</summary> File `.github/workflows/bazel.yml`; suggested edits: - + permissions.actions = 'write' ```diff --- a/.github/workflows/bazel.yml +++ b/.github/workflows/bazel.yml @@ -21,3 +21,5 @@ run: bazel build --config=remote //... - name: Run Tests run: bazel test --config=remote //... +permissions: + actions: write ``` </details> <details> <summary><code>release-5.3.3</code> — excessive-permissions</summary> File `.github/workflows/bazel.yml`; suggested edits: - + permissions.actions = 'write' ```diff --- a/.github/workflows/bazel.yml +++ b/.github/workflows/bazel.yml @@ -21,3 +21,5 @@ run: bazel build --config=remote //... - name: Run Tests run: bazel test --config=remote //... +permissions: + actions: write ``` </details> <details> <summary><code>release-5.3.2</code> — excessive-permissions</summary> File `.github/workflows/bazel.yml`; suggested edits: - + permissions.actions = 'write' ```diff --- a/.github/workflows/bazel.yml +++ b/.github/workflows/bazel.yml @@ -21,3 +21,5 @@ run: bazel build --config=remote //... - name: Run Tests run: bazel test --config=remote //... +permissions: + actions: write ``` </details> --- *Happy to open pull requests instead if that's preferred.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
