Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPARK-38426] Fixes perms for actions #35742

Closed
wants to merge 1 commit into from
Closed

[SPARK-38426] Fixes perms for actions #35742

wants to merge 1 commit into from

Conversation

naveensrinivasan
Copy link
Contributor

What changes were proposed in this pull request?

Why are the changes needed?

Does this PR introduce any user-facing change?

No

How was this patch tested?

N/A

@github-actions github-actions bot added the INFRA label Mar 6, 2022
@naveensrinivasan
[SPARK-38426] Fixes perms for actions
4bddcfb 
- Fixed permission for some of workflow actions https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
- Pinned some of the actions SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@AmplabJenkins
Copy link

Can one of the admins verify this patch?

@naveensrinivasan
Copy link
Contributor Author

A friendly reminder

@naveensrinivasan
Copy link
Contributor Author

@HyukjinKwon A friendly ping

@HyukjinKwon
Copy link
Member

I am fine. Just don't feel strong enough to approve and merge. We can wait for other committers to join/merge/approve.

@naveensrinivasan
Copy link
Contributor Author

I am fine. Just don't feel strong enough to approve and merge. We can wait for other committers to join/merge/approve.

Ok. Is there a specific reason for your feeling?

@naveensrinivasan
Copy link
Contributor Author

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

@naveensrinivasan
Copy link
Contributor Author

@HyukjinKwon A friendly ping

@srowen
Copy link
Member

srowen commented Apr 16, 2022

Seems like the same comment would go for not pinning other actions?
Does restricting to read permission have any negative effects at all for our usage? can't think of any

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HyukjinKwon HyukjinKwon Awaiting requested review from HyukjinKwon

Assignees
No one assigned
Labels
INFRA
Projects
None yet
Milestone
No milestone
4 participants
@naveensrinivasan @AmplabJenkins @HyukjinKwon @srowen