Summary
The default branch already hardened .github/workflows/_android.yml, .github/workflows/_unittest.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
Already resolved on the default branch in:
Affected release branches (4)
release/0.5 (still present as of HEAD 1bc0699a)
release/0.4 (still present as of HEAD 6a085fff)
release/0.3 (still present as of HEAD ca8e0d23)
release/0.2 (still present as of HEAD 088cedfb)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/0.5 — excessive-permissions
File .github/workflows/_android.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'read'
-
- jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_android.yml
+++ b/.github/workflows/_android.yml
@@ -29,6 +29,9 @@
bash build/build_android_llm_demo.sh ${ARTIFACTS_DIR_NAME}
# Running Android emulator directly on the runner and not using Docker
+ permissions:
+ contents: read
+ id-token: write
run-emulator:
needs: build-llm-demo
# NB: Use metal install for KVM support to run the emulator faster
release/0.4 — excessive-permissions
File .github/workflows/_unittest.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'read'
-
- jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_unittest.yml
+++ b/.github/workflows/_unittest.yml
@@ -43,6 +43,9 @@
LLVM_PROFDATA=llvm-profdata-12 LLVM_COV=llvm-cov-12 \
test/run_oss_cpp_tests.sh
+ permissions:
+ contents: read
+ id-token: write
macos:
uses: pytorch/test-infra/.github/workflows/macos_job.yml@release/2.5
with:
release/0.3 — excessive-permissions
File .github/workflows/_unittest.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'read'
-
- jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_unittest.yml
+++ b/.github/workflows/_unittest.yml
@@ -43,6 +43,9 @@
LLVM_PROFDATA=llvm-profdata-12 LLVM_COV=llvm-cov-12 \
test/run_oss_cpp_tests.sh
+ permissions:
+ contents: read
+ id-token: write
macos:
uses: pytorch/test-infra/.github/workflows/macos_job.yml@release/2.4
with:
release/0.2 — excessive-permissions
File .github/workflows/_unittest.yml; suggested edits:
-
- jobs.$J.permissions.contents = 'read'
-
- jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_unittest.yml
+++ b/.github/workflows/_unittest.yml
@@ -43,6 +43,9 @@
# Run pytest with coverage
pytest -n auto --cov=./ --cov-report=xml
+ permissions:
+ contents: read
+ id-token: write
macos:
uses: pytorch/test-infra/.github/workflows/macos_job.yml@release/2.3
strategy:
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/_android.yml,.github/workflows/_unittest.ymlagainst the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededAlready resolved on the default branch in:
Affected release branches (4)
release/0.5(still present as of HEAD1bc0699a)release/0.4(still present as of HEAD6a085fff)release/0.3(still present as of HEADca8e0d23)release/0.2(still present as of HEAD088cedfb)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/0.5— excessive-permissionsFile
.github/workflows/_android.yml; suggested edits:release/0.4— excessive-permissionsFile
.github/workflows/_unittest.yml; suggested edits:release/0.3— excessive-permissionsFile
.github/workflows/_unittest.yml; suggested edits:release/0.2— excessive-permissionsFile
.github/workflows/_unittest.yml; suggested edits:Happy to open pull requests instead if that's preferred.