login
login copied to clipboard
Limit pr-check permissions
Afaict, this workflow does not need any interesting GITHUB_TOKEN
permissions.
It only needs contents: read
if it's imported into a private repository (which is something that one might do if one were testing a PR like this).
If it needs id-token: write
, it should be explicit about that, but based on my reading, it doesn't, as the steps all use with:
/creds:
.
Note that as-is, this isn't a security item because this workflow requires approval to run (and given that running it explicitly allows PRs to use an azure credential, I have faith that reviewers are considering the contents of PRs before approving them...).