RockteMQ-AI commented on issue #10557:
URL: https://github.com/apache/rocketmq/issues/10557#issuecomment-4830727124
**Issue Evaluation**
Category: `CI/workflow` | Status: **Evaluated — Needs Maintainer Decision**
Thanks for raising this. I verified the current state of the workflow files
across all mentioned branches.
**Findings:**
1. **Release branches confirmed**: All 4 release branches (`release-5.4.0`,
`release-5.3.4`, `release-5.3.3`, `release-5.3.2`) do lack explicit
`permissions` in `.github/workflows/bazel.yml`, meaning they use GitHub's
default broad token permissions.
2. **Default branch also lacks it**: The `develop` branch currently does
**not** have `permissions: actions: write` either. The referenced commit
`18f5f28a` ("Set specific permissions to trigger the retry mechanism") added it
in Aug 2024, but commit `a8dde862` ("Enhance unit test retry mechanism", Sep
2024) later **removed** it when the retry logic was moved to the separate
`rerun-workflow.yml` workflow.
3. **Security context**: For `pull_request` triggers, GitHub automatically
restricts `GITHUB_TOKEN` permissions. For `push` triggers (which `bazel.yml`
also listens to on `master`/`develop`/`bazel` branches), the token gets broader
permissions. Adding explicit `permissions: actions: write` is a valid hardening
practice.
**Suggested approach:**
- If the project wants to harden workflow permissions, the fix should first
be applied to `develop` (since it's also missing there), then backported to the
release branches.
- Consider also adding `permissions` to `maven.yaml` and
`rerun-workflow.yml` on the release branches for consistency with commit
`18f5f28a`'s original scope.
Flagging for maintainer review on whether to proceed with this hardening
across all branches.
---
*Automated evaluation by github-manager-bot*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]