Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
lidavidm merged PR #673: URL: https://github.com/apache/arrow-java/pull/673 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
lidavidm commented on PR #673: URL: https://github.com/apache/arrow-java/pull/673#issuecomment-2928398570 Thanks Calvin & JB for double-checking things! Rebased and will merge -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
CalvinKirs commented on PR #673: URL: https://github.com/apache/arrow-java/pull/673#issuecomment-2922251893 > @CalvinKirs are you good with this PR ?↳ LGTM, Sorry for the delay! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
jbonofre commented on PR #673: URL: https://github.com/apache/arrow-java/pull/673#issuecomment-2861798849 @CalvinKirs are you good with this PR ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
jbonofre commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r2078898696
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
I double checked and it looks good to me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
lidavidm commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r222269
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
@jbonofre was there any clarification here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
CalvinKirs commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r2026347179
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
run: |
./.github/workflows/dev_pr_milestone.sh "${GITHUB_REPOSITORY}" ${{
github.event.number }}
Review Comment:
FYI
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
CalvinKirs commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r2026622916
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
oops...we're not executing the checkout operation... please disregard me
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
lidavidm commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r2026378366
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
This should be from the main branch, though, not from the PR. (But I guess
would it be clearer/safer to have a separate repo of custom actions for the
project that we can use and pin?)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
CalvinKirs commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r2026345910
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
Since **pull_request_target** runs in the target repository's context with
write access to secrets, directly executing a .sh file from a PR poses a
security risk. To ensure the script hasn't been tampered with, we must verify
its SHA256 checksum before execution to prevent unintended scripts from running
and potential malicious attacks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
jbonofre commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r2000300210
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
@lidavidm let me double check with the Infra again (sorry I forgot).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
jbonofre commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r1993263920
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
That's my point (sorry if I wasn't clear): why storing as env variable ?
I discussed with Gavin (from the ASF Infra) to clarify the "triggers"
statement on the GitHub Action policy page.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
lidavidm commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r1993292919
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
Because the script is invoking the GitHub CLI to do things, and the GitHub
CLI needs a token from an environment variable
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
jbonofre commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r1993220462
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
Yes, it should not be a problem to write issues/pull-requests.
Do you really need to have `GH_TOKEN` env variable ? Why not directly using
`GITHUB_TOKEN` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
lidavidm commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r1993229738
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
I can rename the env var (it appears `gh` CLI accepts both), but the
question is whether putting it in the environment in the first place is
acceptable? From the Apache Infra page, it _sounds_ like this is actually not
allowed anymore?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
github-actions[bot] commented on PR #673: URL: https://github.com/apache/arrow-java/pull/673#issuecomment-2719453477 Thank you for opening a pull request! Please label the PR with one or more of: - bug-fix - chore - dependencies - documentation - enhancement Also, add the 'breaking-change' label if appropriate. See [CONTRIBUTING.md](https://github.com/apache/arrow-java/blob/main/CONTRIBUTING.md) for details. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] MINOR: Add missing permission to milestone assignment bot [arrow-java]
kou commented on code in PR #673:
URL: https://github.com/apache/arrow-java/pull/673#discussion_r1992522586
##
.github/workflows/dev_pr.yml:
##
@@ -80,5 +80,9 @@ jobs:
if: '! github.event.pull_request.draft'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
Review Comment:
@jbonofre Can we use this configuration? Is this still satisfied our policy?
https://infra.apache.org/github-actions-policy.html
This is what I asked on Zulip: [#java-chat > GitHub Action versions alias @
💬](https://ursalabs.zulipchat.com/#narrow/channel/483042-java-chat/topic/GitHub.20Action.20versions.20alias/near/503947400)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
