Skip to content

Backport workflow-hardening fix (excessive-permissions) to 4 release branches #20588

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/_android.yml, .github/workflows/_unittest.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • excessive-permissions — workflow/job granted broader permissions than needed

Already resolved on the default branch in:

Affected release branches (4)

  • release/0.5 (still present as of HEAD 1bc0699a)
  • release/0.4 (still present as of HEAD 6a085fff)
  • release/0.3 (still present as of HEAD ca8e0d23)
  • release/0.2 (still present as of HEAD 088cedfb)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

release/0.5 — excessive-permissions

File .github/workflows/_android.yml; suggested edits:

    • jobs.$J.permissions.contents = 'read'
    • jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_android.yml
+++ b/.github/workflows/_android.yml
@@ -29,6 +29,9 @@
         bash build/build_android_llm_demo.sh ${ARTIFACTS_DIR_NAME}
 
   # Running Android emulator directly on the runner and not using Docker
+    permissions:
+      contents: read
+      id-token: write
   run-emulator:
     needs: build-llm-demo
     # NB: Use metal install for KVM support to run the emulator faster
release/0.4 — excessive-permissions

File .github/workflows/_unittest.yml; suggested edits:

    • jobs.$J.permissions.contents = 'read'
    • jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_unittest.yml
+++ b/.github/workflows/_unittest.yml
@@ -43,6 +43,9 @@
         LLVM_PROFDATA=llvm-profdata-12 LLVM_COV=llvm-cov-12 \
         test/run_oss_cpp_tests.sh
 
+    permissions:
+      contents: read
+      id-token: write
   macos:
     uses: pytorch/test-infra/.github/workflows/macos_job.yml@release/2.5
     with:
release/0.3 — excessive-permissions

File .github/workflows/_unittest.yml; suggested edits:

    • jobs.$J.permissions.contents = 'read'
    • jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_unittest.yml
+++ b/.github/workflows/_unittest.yml
@@ -43,6 +43,9 @@
         LLVM_PROFDATA=llvm-profdata-12 LLVM_COV=llvm-cov-12 \
         test/run_oss_cpp_tests.sh
 
+    permissions:
+      contents: read
+      id-token: write
   macos:
     uses: pytorch/test-infra/.github/workflows/macos_job.yml@release/2.4
     with:
release/0.2 — excessive-permissions

File .github/workflows/_unittest.yml; suggested edits:

    • jobs.$J.permissions.contents = 'read'
    • jobs.$J.permissions.id-token = 'write'
--- a/.github/workflows/_unittest.yml
+++ b/.github/workflows/_unittest.yml
@@ -43,6 +43,9 @@
         # Run pytest with coverage
         pytest -n auto --cov=./ --cov-report=xml
 
+    permissions:
+      contents: read
+      id-token: write
   macos:
     uses: pytorch/test-infra/.github/workflows/macos_job.yml@release/2.3
     strategy:

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions