From 276dae1039a7f6fa78ef1682fe35e8720c10e67e Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Mon, 29 Jul 2024 09:54:31 +1200 Subject: [PATCH] DOC Add note about permissions to readme --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 0efc07b..7116e89 100644 --- a/README.md +++ b/README.md @@ -21,10 +21,15 @@ on: pull_request: workflow_dispatch: +permissions: {} + jobs: ci: name: CI uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1 + permissions: + pull-requests: read + contents: write ``` #### Running on a regular schedule @@ -35,6 +40,8 @@ on: schedule: - cron: '0 0 * * 1' +permissions: {} + jobs: ci: name: CI @@ -42,8 +49,18 @@ jobs: # Change '' to match the name of the account hosting this repository if: (github.event_name == 'schedule' && github.repository_owner == '') || (github.event_name != 'schedule') uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1 + permissions: + pull-requests: read + contents: write ``` +> [!WARNING] +> Note that the `contents: write` permission won't be used in third-party repositories, but still needs to be defined. This permission is required by [silverstripe/gha-tag-release](https://github.com/silverstripe/gha-tag-release) which will be skipped in all repositories which are not commercially supported or not in the "silverstripe" GitHub organisation. +> +> To ensure you protect yourself from malicious actors, I recommend you set the "Fork pull request workflows from outside collaborators" setting in `https://github.com///settings/actions` to one of +> - Require approval for first-time contributors +> - Require approval for all outside collaborators + #### Job configuration Set config specific to your needs via "inputs" defined under the `with:` key. For instance, to disable PHP linting because your module does not yet have a `phpcs.xml.dist` file