Skip to content

Commit 1cfbb67

Browse files
authored
GH-49729: [CI] Scope workflow permissions and secret inheritance (#49773)
### Rationale for this change CI jobs allow secrets to be inherited which could present a security risk ### What changes are included in this PR? Scope permissions better ### Are these changes tested? Will be once we merge ### Are there any user-facing changes? No * GitHub Issue: #49729 Authored-by: Nic Crane <thisisnic@gmail.com> Signed-off-by: Nic Crane <thisisnic@gmail.com>
1 parent c5a2f79 commit 1cfbb67

5 files changed

Lines changed: 20 additions & 10 deletions

File tree

.github/workflows/cpp_extra.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,6 @@ jobs:
8787
check-labels:
8888
if: github.event_name != 'schedule' || github.repository == 'apache/arrow'
8989
uses: ./.github/workflows/check_labels.yml
90-
secrets: inherit
9190
with:
9291
parent-workflow: cpp_extra
9392

@@ -778,4 +777,6 @@ jobs:
778777
- odbc-msvc
779778
- odbc-nightly
780779
uses: ./.github/workflows/report_ci.yml
781-
secrets: inherit
780+
secrets:
781+
ARROW_SMTP_PASSWORD: ${{ secrets.ARROW_SMTP_PASSWORD }}
782+
ARROW_ZULIP_WEBHOOK: ${{ secrets.ARROW_ZULIP_WEBHOOK }}

.github/workflows/cuda_extra.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,6 @@ jobs:
4444
check-labels:
4545
if: github.event_name != 'schedule' || github.repository == 'apache/arrow'
4646
uses: ./.github/workflows/check_labels.yml
47-
secrets: inherit
4847
with:
4948
parent-workflow: cuda_extra
5049

@@ -134,4 +133,6 @@ jobs:
134133
needs:
135134
- docker
136135
uses: ./.github/workflows/report_ci.yml
137-
secrets: inherit
136+
secrets:
137+
ARROW_SMTP_PASSWORD: ${{ secrets.ARROW_SMTP_PASSWORD }}
138+
ARROW_ZULIP_WEBHOOK: ${{ secrets.ARROW_ZULIP_WEBHOOK }}

.github/workflows/package_linux.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,19 +64,19 @@ concurrency:
6464

6565
permissions:
6666
actions: read
67-
# Upload to GitHub Release
68-
contents: write
6967
pull-requests: read
7068

7169
jobs:
7270
check-labels:
7371
if: github.event_name != 'schedule' || github.repository == 'apache/arrow'
7472
uses: ./.github/workflows/check_labels.yml
75-
secrets: inherit
7673
with:
7774
parent-workflow: package_linux
7875

7976
package:
77+
permissions:
78+
# Upload to GitHub Release
79+
contents: write
8080
name: ${{ matrix.id }}
8181
runs-on: ${{ contains(matrix.id, 'amd64') && 'ubuntu-latest' || 'ubuntu-24.04-arm' }}
8282
needs: check-labels
@@ -333,4 +333,6 @@ jobs:
333333
needs:
334334
- package
335335
uses: ./.github/workflows/report_ci.yml
336-
secrets: inherit
336+
secrets:
337+
ARROW_SMTP_PASSWORD: ${{ secrets.ARROW_SMTP_PASSWORD }}
338+
ARROW_ZULIP_WEBHOOK: ${{ secrets.ARROW_ZULIP_WEBHOOK }}

.github/workflows/r_extra.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,6 @@ jobs:
7777
check-labels:
7878
if: github.event_name != 'schedule' || github.repository == 'apache/arrow'
7979
uses: ./.github/workflows/check_labels.yml
80-
secrets: inherit
8180
with:
8281
parent-workflow: r_extra
8382

@@ -227,4 +226,6 @@ jobs:
227226
needs:
228227
- docker
229228
uses: ./.github/workflows/report_ci.yml
230-
secrets: inherit
229+
secrets:
230+
ARROW_SMTP_PASSWORD: ${{ secrets.ARROW_SMTP_PASSWORD }}
231+
ARROW_ZULIP_WEBHOOK: ${{ secrets.ARROW_ZULIP_WEBHOOK }}

.github/workflows/report_ci.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,11 @@ name: Report CI results
1919

2020
on:
2121
workflow_call:
22+
secrets:
23+
ARROW_SMTP_PASSWORD:
24+
required: true
25+
ARROW_ZULIP_WEBHOOK:
26+
required: true
2227

2328
permissions:
2429
actions: read

0 commit comments

Comments
 (0)