2843f15e8c
Currently if a PR modifies any file that configures a Github action (e.g. a workflow file), the caretaker might face an error when merging such PR: ``` ! [remote rejected] merge_pr_target_11.2.x -> 11.2.x (refusing to allow a Personal Access Token to create or update workflow ``` This happens because Github requires the token being used for the push operation to have the `workflow` scope set. This is a special scope added by Github to ensure that no changes can be made on upstream branches that might expose the `GITHUB_TOKEN` environment variable, which is available for push builds and could cause the token being leaked. With this commit we enforce that the caretaker adds the workflow scope to their github token. Since PRs can only be merged if reviewed thoroughly, it's acceptable to allow workflow file changes being merged through the merge tool by the caretaker (especially since we also allow CircleCI config files being merged with the default `repo`/`public_repo` scope). PR Close #41989 |
||
|---|---|---|
| .. | ||
| check-target-branches | ||
| checkout | ||
| common | ||
| discover-new-conflicts | ||
| merge | ||
| rebase | ||
| BUILD.bazel | ||
| cli.ts | ||