Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to trigger github workflow manually #68

Merged
merged 2 commits into from
Nov 14, 2024
Merged

Allow to trigger github workflow manually #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e1a8243
Allow to trigger github workflow manually
barakb Nov 14, 2024
6e56d1c
Merge branch 'main' into allow_to_trigger_github_workflow_manually
barakb Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ on:
- main
schedule:
- cron: '0 0 * * *' # This runs the workflow every day at midnight UTC
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ on:
push:
branches:
- main
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/pr-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name: Mandatory Pull Request Checks
on:
pull_request:
branches: [ "main" ]
workflow_dispatch:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Add permissions configuration to pr-checks.yml workflow

The workflow file pr-checks.yml lacks a permissions configuration block, unlike main.yml which properly defines its permissions. Add a minimal permissions block to explicitly restrict the workflow's access:

permissions: read-all
  • Add this block right after the on: section in .github/workflows/pr-checks.yml

This ensures the workflow only has read access by default, which is sufficient for PR checks like building, testing, and linting. The workflow_dispatch trigger will inherit these permissions, preventing potential misuse of elevated privileges during manual runs.

🔗 Analysis chain

Consider configuring permissions for manual workflow triggers.

To prevent potential abuse of CI resources, ensure that appropriate permissions are configured for who can manually trigger this workflow.

Let's check the repository's workflow permissions:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check workflow permissions configuration in the repository

# Check for workflow permissions in repository settings
gh api repos/{owner}/{repo}/actions/permissions

# Check for environment protection rules that might affect workflow execution
gh api repos/{owner}/{repo}/environments

# Look for any existing permissions configurations in workflow files
rg -l "permissions:" .github/workflows/

Length of output: 438

Script:

#!/bin/bash
# Let's check the content of both workflow files to see their permissions configuration
cat .github/workflows/main.yml
cat .github/workflows/pr-checks.yml

Length of output: 2758


concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
Expand Down