This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 916b1a2b0c [StepSecurity] ci: Harden GitHub Actions (#719)
916b1a2b0c is described below
commit 916b1a2b0c0b19f9212c49f31551f1024e92ef9b
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Mar 3 10:53:06 2024 +0100
[StepSecurity] ci: Harden GitHub Actions (#719)
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated
calls to the GitHub API. GitHub recommends setting minimum token permissions
for the GITHUB_TOKEN.
That does not work for docker-image.yaml:
> pushing ghcr.io/apache/ofbiz:trunk-snapshot with docker:
------
ERROR: denied: installation not allowed to Write organization package
Error: buildx failed with: ERROR: denied: installation not allowed to Write
organization package
This reverts "read only"
---
.github/workflows/docker-image.yaml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/.github/workflows/docker-image.yaml
b/.github/workflows/docker-image.yaml
index 4ecca30b07..1cff4a790e 100644
--- a/.github/workflows/docker-image.yaml
+++ b/.github/workflows/docker-image.yaml
@@ -44,9 +44,6 @@ on:
tags:
- '**'
-permissions:
- contents: read
-
jobs:
docker_build:
name: Build and push OFBiz docker container images
