Google Git
Sign in
bazel / bazel / refs/heads/release-7.0.0rc3
commitf5d4283825a986d5515c7cf58fada172d148e4da[log] [tgz]
authorbazel.build machine account <15028808+bazel-io@users.noreply.github.com>Wed Nov 08 12:00:30 2023 -0500
committerGitHub <noreply@github.com>Wed Nov 08 17:00:30 2023 +0000
treedf3fb0d6d2c09d8fc680a4fd29fe4279f855ab14
parentab0da80c4984ba7505b7ed98825969a75b72c007 [diff]
[7.0.0] Add top-level permissions to cherry-picker and remove-labels.yml (#20113)

Fixes #20086.

As described in the issue, this PR adds read-only permissions to bazel's
workflows that don't yet have them. This reduces the risk of
supply-chain attacks via the project's CI/CD infrastructure.

My understanding is that `cherry-picker.yml` does not require any
additional permissions since everything done by
`bazelbuild/continuous-integration/actions/cherry_picker` uses the
declared `GH_TOKEN` instead of the workflow's default `GITHUB_TOKEN`. If
I'm mistaken, let me know and I'll happy fix the PR.

Closes #20087.

Commit
https://github.com/bazelbuild/bazel/commit/ba61ff7d2eb6ed697e12abe3688992e85c434b30

PiperOrigin-RevId: 580542813
Change-Id: Ib45164ea8d9c0aa583e91d316ad2b552f3c9b5b7

Co-authored-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
2 files changed
tree: df3fb0d6d2c09d8fc680a4fd29fe4279f855ab14
  1. .bazelci/
  2. .github/
  3. examples/
  4. scripts/
  5. site/
  6. src/
  7. third_party/
  8. tools/
  9. .bazelrc
  10. .bazelversion
  11. .gitattributes
  12. .gitignore
  13. AUTHORS
  14. bazel_downloader.cfg
  15. BUILD
  16. CHANGELOG.md
  17. CODE_OF_CONDUCT.md
  18. CODEOWNERS
  19. combine_distfiles.py
  20. combine_distfiles_to_tar.sh
  21. compile.sh
  22. CONTRIBUTING.md
  23. CONTRIBUTORS
  24. distdir.bzl
  25. distdir_deps.bzl
  26. extensions.bzl
  27. LICENSE
  28. maven_install.json
  29. MODULE.bazel
  30. MODULE.bazel.lock
  31. rbe_extension.bzl
  32. README.md
  33. repositories.bzl
  34. requirements.txt
  35. SECURITY.md
  36. WORKSPACE
  37. WORKSPACE.bzlmod
  38. workspace_deps.bzl
README.md

Bazel

{Fast, Correct} - Choose two

Build and test software of any size, quickly and reliably.

  • Speed up your builds and tests: Bazel rebuilds only what is necessary. With advanced local and distributed caching, optimized dependency analysis and parallel execution, you get fast and incremental builds.

  • One tool, multiple languages: Build and test Java, C++, Android, iOS, Go, and a wide variety of other language platforms. Bazel runs on Windows, macOS, and Linux.

  • Scalable: Bazel helps you scale your organization, codebase, and continuous integration solution. It handles codebases of any size, in multiple repositories or a huge monorepo.

  • Extensible to your needs: Easily add support for new languages and platforms with Bazel's familiar extension language. Share and re-use language rules written by the growing Bazel community.

Getting Started

Documentation

Reporting a Vulnerability

To report a security issue, please email security@bazel.build with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. Our vulnerability management team will respond within 3 working days of your email. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.

Contributing to Bazel

See CONTRIBUTING.md

Build status