CharlieMCY opened a new issue, #10557:
URL: https://github.com/apache/rocketmq/issues/10557

   ### Summary
   The default branch already hardened `.github/workflows/bazel.yml` against 
the issue(s) below, but **4** release branches still carry it. This proposes 
the same, minimal, scanner-verified fix for each.
   
   ### What's flagged (by [zizmor](https://github.com/woodruffw/zizmor))
   - `excessive-permissions` — workflow/job granted broader `permissions` than 
needed
   
   Already resolved on the default branch in:
   - 
https://github.com/apache/rocketmq/commit/18f5f28af5c908d2d9986bbd824f237be9baf5e9
   
   ### Affected release branches (4)
   - **`release-5.4.0`** (still present as of HEAD `b5da00ad`)
   - **`release-5.3.4`** (still present as of HEAD `63d20eb9`)
   - **`release-5.3.3`** (still present as of HEAD `29d90a4f`)
   - **`release-5.3.2`** (still present as of HEAD `2baaf044`)
   
   ### Suggested per-branch patches
   Each diff below was checked locally with **zizmor** and **actionlint**: the 
flagged finding(s) are cleared on the affected construct and no new lint or 
security findings are introduced. (Whitespace is normalized; only 
security-relevant lines change.)
   
   <details>
   <summary><code>release-5.4.0</code> &mdash; excessive-permissions</summary>
   
   File `.github/workflows/bazel.yml`; suggested edits:
     - + permissions.actions = 'write'
   
   ```diff
   --- a/.github/workflows/bazel.yml
   +++ b/.github/workflows/bazel.yml
   @@ -21,3 +21,5 @@
            run: bazel build --config=remote //...
          - name: Run Tests
            run: bazel test --config=remote //...
   +permissions:
   +  actions: write
   ```
   </details>
   <details>
   <summary><code>release-5.3.4</code> &mdash; excessive-permissions</summary>
   
   File `.github/workflows/bazel.yml`; suggested edits:
     - + permissions.actions = 'write'
   
   ```diff
   --- a/.github/workflows/bazel.yml
   +++ b/.github/workflows/bazel.yml
   @@ -21,3 +21,5 @@
            run: bazel build --config=remote //...
          - name: Run Tests
            run: bazel test --config=remote //...
   +permissions:
   +  actions: write
   ```
   </details>
   <details>
   <summary><code>release-5.3.3</code> &mdash; excessive-permissions</summary>
   
   File `.github/workflows/bazel.yml`; suggested edits:
     - + permissions.actions = 'write'
   
   ```diff
   --- a/.github/workflows/bazel.yml
   +++ b/.github/workflows/bazel.yml
   @@ -21,3 +21,5 @@
            run: bazel build --config=remote //...
          - name: Run Tests
            run: bazel test --config=remote //...
   +permissions:
   +  actions: write
   ```
   </details>
   <details>
   <summary><code>release-5.3.2</code> &mdash; excessive-permissions</summary>
   
   File `.github/workflows/bazel.yml`; suggested edits:
     - + permissions.actions = 'write'
   
   ```diff
   --- a/.github/workflows/bazel.yml
   +++ b/.github/workflows/bazel.yml
   @@ -21,3 +21,5 @@
            run: bazel build --config=remote //...
          - name: Run Tests
            run: bazel test --config=remote //...
   +permissions:
   +  actions: write
   ```
   </details>
   
   ---
   *Happy to open pull requests instead if that's preferred.*


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to