Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Add GitHub token permissions for workflows #14539

Merged
merged 1 commit into from May 10, 2022
Merged

ci: Add GitHub token permissions for workflows #14539

merged 1 commit into from May 10, 2022

Conversation

varunsh-coder
Copy link
Contributor

@varunsh-coder varunsh-coder commented May 10, 2022
edited by gitpod-io bot

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue.

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Q                       A
Fixed Issues? Fixes #1, Fixes #2
Patch: Bug Fix? No
Major: Breaking Change? No
Minor: New Feature? No
Tests Added + Pass? Yes
Documentation PR Link
Any Dependency Changes? No
License MIT

@varunsh-coder varunsh-coder mentioned this pull request May 10, 2022
Open
@babel-bot
Copy link
Collaborator

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/51895/

nicolo-ribaudo
nicolo-ribaudo approved these changes May 10, 2022
View reviewed changes
Copy link
Member

@nicolo-ribaudo nicolo-ribaudo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@nicolo-ribaudo
Copy link
Member

Note: the new permissions model only affects GITHUB_TOKEN, and not secrets.BOT_TOKEN.

@JLHwung JLHwung merged commit 6dc633e into babel:main May 10, 2022
@varunsh-coder varunsh-coder mentioned this pull request Jul 28, 2022
Open
32 tasks
@github-actions github-actions bot added the outdated A closed issue/PR that is archived due to age. Recommended to make a new issue label Aug 10, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nicolo-ribaudo nicolo-ribaudo nicolo-ribaudo approved these changes

Assignees
No one assigned
Labels
outdated A closed issue/PR that is archived due to age. Recommended to make a new issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@varunsh-coder @babel-bot @nicolo-ribaudo @JLHwung