RockteMQ-AI commented on issue #10557:
URL: https://github.com/apache/rocketmq/issues/10557#issuecomment-4830727124

   **Issue Evaluation**
   
   Category: `CI/workflow` | Status: **Evaluated — Needs Maintainer Decision**
   
   Thanks for raising this. I verified the current state of the workflow files 
across all mentioned branches.
   
   **Findings:**
   
   1. **Release branches confirmed**: All 4 release branches (`release-5.4.0`, 
`release-5.3.4`, `release-5.3.3`, `release-5.3.2`) do lack explicit 
`permissions` in `.github/workflows/bazel.yml`, meaning they use GitHub's 
default broad token permissions.
   
   2. **Default branch also lacks it**: The `develop` branch currently does 
**not** have `permissions: actions: write` either. The referenced commit 
`18f5f28a` ("Set specific permissions to trigger the retry mechanism") added it 
in Aug 2024, but commit `a8dde862` ("Enhance unit test retry mechanism", Sep 
2024) later **removed** it when the retry logic was moved to the separate 
`rerun-workflow.yml` workflow.
   
   3. **Security context**: For `pull_request` triggers, GitHub automatically 
restricts `GITHUB_TOKEN` permissions. For `push` triggers (which `bazel.yml` 
also listens to on `master`/`develop`/`bazel` branches), the token gets broader 
permissions. Adding explicit `permissions: actions: write` is a valid hardening 
practice.
   
   **Suggested approach:**
   - If the project wants to harden workflow permissions, the fix should first 
be applied to `develop` (since it's also missing there), then backported to the 
release branches.
   - Consider also adding `permissions` to `maven.yaml` and 
`rerun-workflow.yml` on the release branches for consistency with commit 
`18f5f28a`'s original scope.
   
   Flagging for maintainer review on whether to proceed with this hardening 
across all branches.
   
   ---
   *Automated evaluation by github-manager-bot*
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to