Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: Resolve OSSF GitHub token permissions security alerts #2891

Merged
merged 1 commit into from
Jul 2, 2023
Merged

CI: Resolve OSSF GitHub token permissions security alerts #2891

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/e2e-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ name: Test Deployment
on:
deployment_status:

permissions: read-all

jobs:
e2eTests:
if:
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/empty-issues-closer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,21 @@ on:
- opened
- edited

permissions:
actions: read
checks: read
contents: read
deployments: read
id-token: read
issues: write
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read

jobs:
closeEmptyIssuesAndTemplates:
if: github.repository == 'anuraghazra/github-readme-stats'
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/generate-theme-doc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,21 @@
paths:
- "themes/index.js"

permissions:
actions: read
checks: read
contents: write

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 0: topLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
Copy link
Collaborator

@rickstaa rickstaa Jun 30, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anuraghazra, would it be possible to restrict the `GITHUB_TOKEN permissions so we can merge this pull request?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rickstaa This alerts can be dismissed with "Used only in tests" reason. We cannot resolve them because this permissions required for workflows running. I think that if you approve it we can merge it now.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure whats this about, but approved.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rickstaa This alerts can be dismissed with "Used only in tests" reason. We cannot resolve them because this permissions required for workflows running. I think that if you approve it we can merge it now.

Thanks for the explanation, makes sense!

deployments: read
id-token: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read

jobs:
generateThemeDoc:
runs-on: ubuntu-latest
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/label-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,21 @@ name: "Pull Request Labeler"
on:
- pull_request_target

permissions:
actions: read
checks: read
contents: read
deployments: read
id-token: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: write
repository-projects: read
security-events: read
statuses: read

jobs:
triage:
if: github.repository == 'anuraghazra/github-readme-stats'
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/preview-theme.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,21 @@ on:
paths:
- "themes/index.js"

permissions:
actions: read
checks: read
contents: read
deployments: read
id-token: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: write
repository-projects: read
security-events: read
statuses: read

jobs:
previewTheme:
name: Install & Preview
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/prs-cache-clean.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,21 @@
types:
- closed

permissions:
actions: write
Dismissed Show dismissed Hide dismissed
checks: read
contents: read
deployments: read
id-token: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read

jobs:
cleanup:
runs-on: ubuntu-latest
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/stale-theme-pr-closer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,21 @@ on:
schedule:
- cron: "0 0 */7 * *"

permissions:
actions: read
checks: read
contents: read
deployments: read
id-token: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: write
repository-projects: read
security-events: read
statuses: read

jobs:
closeOldThemePrs:
if: github.repository == 'anuraghazra/github-readme-stats'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
branches:
- master

permissions: read-all

jobs:
build:
name: Perform tests
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/top-issues-dashboard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,21 @@ on:
- cron: "0 0 */3 * *"
workflow_dispatch:

permissions:
actions: read
checks: read
contents: read
deployments: read
id-token: read
issues: write
discussions: read
packages: read
pages: read
pull-requests: write
repository-projects: read
security-events: read
statuses: read

jobs:
showAndLabelTopIssues:
if: github.repository == 'anuraghazra/github-readme-stats'
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/update-langs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,21 @@ on:
schedule:
- cron: "0 0 */30 * *"

permissions:
actions: read
checks: read
contents: read
deployments: read
id-token: read
issues: read
discussions: read
packages: read
pages: read
pull-requests: write
repository-projects: read
security-events: read
statuses: read

jobs:
updateLanguages:
if: github.repository == 'anuraghazra/github-readme-stats'
Expand Down
Loading