Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/_local_on_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ jobs:
setup-bazel-cache-tests:
uses: ./.github/workflows/test-setup-bazel-cache.yml
permissions:
actions: write
contents: read

unblock-user-namespace-for-linux-sandbox-tests:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/test-setup-bazel-cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ on:
workflow_dispatch:

permissions:
actions: write
contents: read

jobs:
Expand Down
4 changes: 4 additions & 0 deletions inter-repo-access/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ The rewrite host is derived from `github.server_url`, so the same behavior appli

The action also exposes the selected token as `outputs.token` for cases where a token must be passed explicitly (for example, to a GitHub API call).

## Required permissions

This action configures git URL rewrites and optionally calls `actions/create-github-app-token` (which uses a JWT, not `GITHUB_TOKEN`). It does not call the GitHub API with `GITHUB_TOKEN` and requires no permissions of its own.

## Inputs

- `github-app-client-id`: GitHub App client ID. When set, `github-app-private-key` is also required.
Expand Down
11 changes: 11 additions & 0 deletions setup-bazel-cache/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,17 @@ steps:

Using `github.workflow` and `github.job` together gives each job its own cache automatically. Append a matrix identifier if the same job runs with different configurations that produce different build outputs.

## Required permissions

The job using this action needs:

```yaml
permissions:
actions: write
```

`actions: write` is required because deleting caches — which this action does to prune stale entries — is only available through the GitHub REST API. The internal runner token used for cache save and restore does not cover deletion; `GITHUB_TOKEN` with `actions: write` is the only supported mechanism for it.

## The cache only gets written from `main`

PR and branch builds read from the cache but never write to it. Only builds on `main` populate it.
Expand Down
4 changes: 4 additions & 0 deletions setup-qnx-sdp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ It performs the following:
- Configures access to qnx.com via `.netrc`.
- Automatically removes the QNX license file and the `.netrc` entry when the job finishes (post-action).

## Required permissions

This action performs only local filesystem operations and does not call the GitHub API. No `GITHUB_TOKEN` permissions are required beyond whatever the rest of the job needs.

## How it works

When invoked, the action runs these steps in order:
Expand Down
4 changes: 4 additions & 0 deletions unblock-user-namespace-for-linux-sandbox/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Unblock user namespace for linux-sandbox

## Required permissions

This action calls `sudo apparmor_parser` locally and does not call the GitHub API. No `GITHUB_TOKEN` permissions are required beyond whatever the rest of the job needs.

Some tests require `linux-sandbox`.
Starting with Ubuntu 23.10 Canonical has blocked Linux user namespaces for [security reasons](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626/1).
This action allows `linux-sandbox` to use Linux user namespaces via configuring `apparmor`.
Expand Down
Loading