Skip to content

Add explicit permissions to GitHub workflows#2723

Merged
labkey-tchad merged 5 commits intodevelopfrom
fb_workflowPermissions
Oct 6, 2025
Merged

Add explicit permissions to GitHub workflows#2723
labkey-tchad merged 5 commits intodevelopfrom
fb_workflowPermissions

Conversation

@labkey-tchad
Copy link
Member

@labkey-tchad labkey-tchad commented Oct 2, 2025

Rationale

Cleaning up several security warnings.
We should validate that the workflow permission changes work correctly before we roll out to other repositories.

Related Pull Requests

  • N/A

Changes

  • Add explicit permissions to GitHub workflows
  • Fix ZipSlip in TestFileUtils
  • Explicitly cast numbers

labkey-jeckels
labkey-jeckels approved these changes Oct 2, 2025
View reviewed changes
src/org/labkey/test/TestFileUtils.java Outdated
{
final File outputFile = new File(outputDir, entry.getName());

if (!outputFile.toPath().normalize().startsWith(outputDir.toPath()))
Copy link
Contributor

@labkey-jeckels labkey-jeckels Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should prevent the zip slip concern, but probably best to stash outputDir.toPath().normalize() outside the loop and use that.

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Oct 2, 2025

@labkey-tchad what steps in the merge/release process will end up testing the workflow permissions?

@labkey-tchad
Copy link
Member Author

labkey-tchad commented Oct 2, 2025

@labkey-tchad what steps in the merge/release process will end up testing the workflow permissions?

The next time we merge changes forward from 25.10 should verify them both.

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Oct 2, 2025

@labkey-tchad what steps in the merge/release process will end up testing the workflow permissions?

The next time we merge changes forward from 25.10 should verify them both.

@labkey-klum heads up on this change. Hopefully it won't have any impact on the merge process, but if you see problems with testAutomation, let us know

@labkey-tchad labkey-tchad merged commit 3cb43f3 into develop Oct 6, 2025
6 checks passed
@labkey-tchad labkey-tchad deleted the fb_workflowPermissions branch October 6, 2025 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@labkey-tchad @labkey-jeckels