[GHA] Specify permissions when deviating from defaults #2721
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The publish_website.yml workflow requires write permissions to 1. create new docusaurus versions by pushing a commit to `docusaurus-versions` branch 2. push new website to gh-pages
facebook-github-bot
added
the
CLA Signed
|
@CristianLara has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2721 +/- ##
=======================================
Coverage 99.98% 99.99%
=======================================
Files 203 203
Lines 18671 18671
=======================================
+ Hits 18669 18670 +1
+ Misses 2 1 -1 ☔ View full report in Codecov by Sentry. |
saitcakmak
approved these changes
Feb 3, 2025
|
@CristianLara merged this pull request in 37f3f7d. |
facebook-github-bot
pushed a commit
to facebook/Ax
that referenced
this pull request
Feb 3, 2025
Summary: ## Context Duplicate of change made in botorch: pytorch/botorch#2721 ## Motivation The `publish_website.yml` workflow requires write permissions to 1. create new docusaurus versions by pushing a commit to `docusaurus-versions` branch 2. push new website to gh-pages This was not an issue in the fork that introduced these changes because Meta's organization / the official repo has more restrictive permissions than the defaults. More restrictive default permissions are definitely the way to go, here we elevate permissions only when necessary. Pull Request resolved: #3299 Test Plan: I made the default permissions in my fork more restrictive such that the same workflows would fail then verified that this change results in successful workflow runs. https://github.com/CristianLara/botorch/actions/runs/13107635487/job/36565023833 Reviewed By: Balandat Differential Revision: D69035808 Pulled By: CristianLara fbshipit-source-id: 1f663e79609ae1e7318d9be9b9b3bb16eee3e835
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
The
publish_website.ymlworkflow requires write permissions todocusaurus-versionsbranchThis was not an issue in the fork that introduced these changes because Meta's organization / the official repo has more restrictive permissions than the defaults. More restrictive default permissions are definitely the way to go, here we elevate permissions only when necessary.
Test Plan
I made the default permissions in my fork more restrictive such that the same workflows would fail then verified that this change results in successful workflow runs. https://github.com/CristianLara/botorch/actions/runs/13107635487/job/36565023833