[CI] Explicitly specify read-all permissions on the token (#117290)

Would be nice to have it Pull Request resolved: https://github.com/pytorch/pytorch/pull/117290 Approved by: https://github.com/seemethere, https://github.com/osalpekar, https://github.com/huydhn, https://github.com/atalman
2025-10-20 21:14:14 +08:00 · 2024-01-12 19:15:54 +00:00
parent 013a59acbd
commit 5cf481d1ac
16 changed files with 32 additions and 0 deletions
--- a/.github/workflows/docker-builds.yml
+++ b/.github/workflows/docker-builds.yml
@ -27,6 +27,8 @@ env:
  ALPINE_IMAGE: 308535385114.dkr.ecr.us-east-1.amazonaws.com/tool/alpine
  AWS_DEFAULT_REGION: us-east-1

+permissions: read-all
+
 jobs:
  docker-build:
    runs-on: [self-hosted, linux.2xlarge]
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@ -28,6 +28,8 @@ env:
  USE_BUILDX: 1
  WITH_PUSH: ${{ github.event_name == 'push' && (github.event.ref == 'refs/heads/nightly' || startsWith(github.event.ref, 'refs/tags/v')) }}

+permissions: read-all
+
 jobs:
  generate-matrix:
    if: github.repository_owner == 'pytorch'
--- a/.github/workflows/inductor-perf-compare.yml
+++ b/.github/workflows/inductor-perf-compare.yml
@ -10,6 +10,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  linux-focal-cuda12_1-py3_10-gcc9-inductor-build:
    name: cuda12.1-py3.10-gcc9-sm80
--- a/.github/workflows/inductor-perf-test-nightly.yml
+++ b/.github/workflows/inductor-perf-test-nightly.yml
@ -61,6 +61,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  linux-focal-cuda12_1-py3_10-gcc9-inductor-build:
    name: cuda12.1-py3.10-gcc9-sm80
--- a/.github/workflows/inductor-periodic.yml
+++ b/.github/workflows/inductor-periodic.yml
@ -14,6 +14,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
  cancel-in-progress: true

+
+permissions: read-all
+
 jobs:
  linux-focal-cuda12_1-py3_10-gcc9-periodic-dynamo-benchmarks-build:
    name: cuda12.1-py3.10-gcc9-sm86-periodic-dynamo-benchmarks
--- a/.github/workflows/inductor.yml
+++ b/.github/workflows/inductor.yml
@ -13,6 +13,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  linux-focal-rocm5_7-py3_8-inductor-build:
    name: rocm5.7-py3.8-inductor
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -11,6 +11,7 @@ on:
      - landchecks/*
  workflow_dispatch:

+permissions: read-all
 # The names of steps that actually test the code should be suffixed with `(nonretryable)`.
 # When any other step fails, it's job will be retried once by retryBot.
 jobs:
--- a/.github/workflows/mac-mps.yml
+++ b/.github/workflows/mac-mps.yml
@ -10,6 +10,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  macos-12-py3-arm64-build:
    name: macos-12-py3-arm64
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@ -20,6 +20,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}-${{ github.event.schedule }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  parallelnative-linux-jammy-py3_8-gcc11-build:
    name: parallelnative-linux-jammy-py3.8-gcc11
--- a/.github/workflows/pull.yml
+++ b/.github/workflows/pull.yml
@ -17,6 +17,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  linux-jammy-py3_8-gcc11-build:
    name: linux-jammy-py3.8-gcc11
--- a/.github/workflows/rocm.yml
+++ b/.github/workflows/rocm.yml
@ -15,6 +15,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  linux-focal-rocm5_7-py3_8-build:
    name: linux-focal-rocm5.7-py3.8
--- a/.github/workflows/slow.yml
+++ b/.github/workflows/slow.yml
@ -18,6 +18,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}-${{ github.event.schedule }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  linux-focal-cuda12_1-py3-gcc9-slow-gradcheck-build:
    name: linux-focal-cuda12.1-py3-gcc9-slow-gradcheck
--- a/.github/workflows/trunk.yml
+++ b/.github/workflows/trunk.yml
@ -16,6 +16,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  # Build PyTorch with BUILD_CAFFE2=ON
  caffe2-linux-jammy-py3_8-gcc11-build:
--- a/.github/workflows/unstable-periodic.yml
+++ b/.github/workflows/unstable-periodic.yml
@ -13,6 +13,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}-${{ github.event.schedule }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  # There must be at least one job here to satisfy GitHub action workflow syntax
  introduction:
--- a/.github/workflows/unstable.yml
+++ b/.github/workflows/unstable.yml
@ -12,6 +12,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
  cancel-in-progress: true

+permissions: read-all
+
 jobs:
  # There must be at least one job here to satisfy GitHub action workflow syntax
  introduction:
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@ -8,6 +8,8 @@ on:
    - cron: 37 7 * * 1
  workflow_dispatch:

+permissions: read-all
+
 jobs:
  update-commit-hash:
    runs-on: ubuntu-latest