Peter Barker

> Yes, this is a way to fix it. But usually you only give write permissions to a single task. Take a look at https://github.com/ArduPilot/MethodicConfigurator/tree/master/.github/workflows for inspiration. Doesn't this task...

> Yes, this is a way to fix it. But usually you only give write permissions to a single task. Take a look at https://github.com/ArduPilot/MethodicConfigurator/tree/master/.github/workflows for inspiration. Ah, I see....

@amilcarlucas so this appears to pass. It is just changing the permission on "content" to "read", and not granting write permissions to anything. Does this look correct to you?!

> ``` > permissions: > pull-requests: write # for creating PRs > ``` > > In some jobs that create branches, commits or PRs. I think the fact that no...

... how is this uploading artifacts?! The text I opened this PR seems to indicate it shouldn't be able to unless I grant it extra permissions!?

@amilcarlucas so it's this:  ... so everything is permitted by default.

I've now added sufficient `permission:` entries to the workflow files to pass when we move to the second option in the picture above, "Read repository contents and packages permissions"

Probably going to chose this one. We couldn't find any place that this actually improves security, and is maintenance overhead. Someone who knows more about github actions needs to chime...

``` UTC1158 - https://github.com/ArduPilot/ardupilot/pull/30250 Put permission: into our workflows We can’t see where this increases security Need someone who knows what they’re doing with the workflows to tell us why...

> This follows the principle of as few permissions as necessary. And the tests do pass now. I made that argument on the call and it was apparently not convincing...