Skip to content

ci(update-trivy-db): declare contents: read + actions: write#10335

Open
arpitjain099 wants to merge 1 commit into
kubernetes-sigs:masterfrom
arpitjain099:ci/add-permissions
Open

ci(update-trivy-db): declare contents: read + actions: write#10335
arpitjain099 wants to merge 1 commit into
kubernetes-sigs:masterfrom
arpitjain099:ci/add-permissions

Conversation

@arpitjain099
Copy link
Copy Markdown

@arpitjain099 arpitjain099 commented May 13, 2026

Pins the default GITHUB_TOKEN on update-trivy-db.yaml to the minimum scope it actually uses:

  • actions: write for actions/cache/save@v5 (the Trivy DB save path).
  • contents: read is included for consistency, though the workflow has no checkout step.

The oras pull of ghcr.io/aquasecurity/trivy-db:2 is anonymous (public image). Hardens against the GitHub-side write surface.

YAML validated locally with yaml.safe_load.

@arpitjain099
ci(update-trivy-db): declare contents: read + actions: write
bd3ffac 
actions/cache/save@v5 writes the Trivy DB to the GHA cache, so the
default GITHUB_TOKEN needs actions: write. The oras pull is
anonymous.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 13, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/needs-kind labels May 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 13, 2026

Welcome @arpitjain099!

It looks like this is your first PR to kubernetes-sigs/cloud-provider-azure 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cloud-provider-azure has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 13, 2026
@github-actions github-actions Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 13, 2026

Hi @arpitjain099. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arpitjain099
Once this PR has been reviewed and has the lgtm label, please assign elmiko for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from mainred May 13, 2026 11:29
@nilo19
Copy link
Copy Markdown
Contributor

nilo19 commented May 16, 2026

why do we need this change as we don't hit any failures. Why do we need the actions: write?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bridgetkromhout bridgetkromhout Awaiting requested review from bridgetkromhout

@mainred mainred Awaiting requested review from mainred

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arpitjain099 @k8s-ci-robot @nilo19