Set github workflow permissions to least privileges #1006
Comments
|
@joycebrum thanks a lot for reporting. |
|
I won't only be able to test if it will be working with the new permissions, but looking at the code and considering that are mostly python script or make script that does not refer GITHUB_TOKEN, About the error on Wheels workflow bellow: When I tried to install the numexpr version 2.6.2 locally it also didn't work, although the error was quite different. Perhaps the version is broken now?
but the version 2.8.4 installed successfully so the problem might be 2.6.2.
You can consider upgrade the numexpr version and see if it works. |
|
Thanks @joycebrum, I will try to work on it during the weekend. |
I would like to suggest setting the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
This can be seen in the Action run step "Set up job" such as https://github.com/PyTables/PyTables/actions/runs/4407964071/jobs/7722340374:
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
Let me know if a PR is welcome and I'll submit it as soon as possible.
Thanks!
Disclosure: I'm from Google, working with the OpenSSF to help many open source projects to increase their supply-chain security.
The text was updated successfully, but these errors were encountered: