Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit top-level permissions for labeler workflow #9787

Merged
merged 1 commit into from
May 27, 2024
Merged

Limit top-level permissions for labeler workflow #9787

merged 1 commit into from
May 27, 2024

Conversation

JamieMagee
Copy link
Contributor

@JamieMagee JamieMagee commented May 21, 2024
edited
Loading

By default the top-level GITHUB_TOKEN has all permissions1. This change removes all permissions by default, as recommended by the GitHub Actions security hardening guide2. Also see the related alert: https://github.com/dependabot/dependabot-core/security/code-scanning/277

This change is a low risk test. I plan to modify all other workflows if this works okay.

Footnotes

  1. https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

  2. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens

@JamieMagee JamieMagee requested a review from a team as a code owner May 21, 2024 05:09
@jurre
Copy link
Member

jurre commented May 21, 2024

Will it still be able to apply labels, without any permissions?

@JamieMagee
Copy link
Contributor Author

@jurre Yes, the triage job in the workflow has the following permissions:

permissions:
  contents: read
  pull-requests: write

In general, the guide asks you to only put common read permissions at the top level, and scope write permissions to the specific jobs that require them. This workflow only has a single job, so it makes no real difference splitting the content: read to the top-level, and the pull-requests: write to the job level.

@JamieMagee JamieMagee force-pushed the jamiemagee/labeler-workflow-permissions branch 3 times, most recently from e7cc59b to c74d9dd Compare May 24, 2024 21:54
@sachin-sandhu sachin-sandhu force-pushed the jamiemagee/labeler-workflow-permissions branch from c74d9dd to f93b566 Compare May 27, 2024 15:10
@JamieMagee @sachin-sandhu
Limit top-level permissions for labeler workflow
37f0d9f 
By default the top-level `GITHUB_TOKEN` has all permissions[^1]. This
change removes all permissions by default, as recommended by the GitHub
Actions security hardening guide[^2].

This change is a low risk test. I plan to modify all other workflows if
this works okay.

[^1]:
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
[^2]:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens
@sachin-sandhu sachin-sandhu force-pushed the jamiemagee/labeler-workflow-permissions branch from f93b566 to 37f0d9f Compare May 27, 2024 15:51
@sachin-sandhu sachin-sandhu merged commit feb0745 into main May 27, 2024
53 checks passed
@sachin-sandhu sachin-sandhu deleted the jamiemagee/labeler-workflow-permissions branch May 27, 2024 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jurre jurre jurre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JamieMagee @jurre @sachin-sandhu