From 3da3d82320bd035c6bd361a82ea12a70dba4e851 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 4 Jul 2022 03:41:44 -0700 Subject: [PATCH] ci: Add GitHub token permissions for workflows (#34122) Summary: This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows. GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows - https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ - https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token - The Open Source Security Foundation (OpenSSF) [Scorecards](https://github.com/ossf/scorecard) treats not setting token permissions as a high-risk issue This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security. Signed-off-by: Varun Sharma ## Changelog [General] [Security] - Add GitHub token permissions for workflows Pull Request resolved: https://github.com/facebook/react-native/pull/34122 Test Plan: N/A Reviewed By: cipolleschi Differential Revision: D37597988 Pulled By: cortinico fbshipit-source-id: 2f45914e2202a7b5bf7fa60b019dd12cdcf31952 --- .github/workflows/apply-version-label-issue.yml | 5 +++++ .github/workflows/danger_pr.yml | 3 +++ .github/workflows/needs-attention.yml | 6 ++++++ .github/workflows/on-issue-labeled.yml | 6 ++++++ .github/workflows/test-docker-android.yml | 3 +++ 5 files changed, 23 insertions(+) diff --git a/.github/workflows/apply-version-label-issue.yml b/.github/workflows/apply-version-label-issue.yml index 816d29876a200a..121e280cfcafe6 100644 --- a/.github/workflows/apply-version-label-issue.yml +++ b/.github/workflows/apply-version-label-issue.yml @@ -4,8 +4,13 @@ on: issues: types: [opened, edited] +permissions: + contents: read + jobs: add-version-label-issue: + permissions: + issues: write # for react-native-community/actions-apply-version-label to label issues runs-on: ubuntu-latest continue-on-error: true diff --git a/.github/workflows/danger_pr.yml b/.github/workflows/danger_pr.yml index 4cde18a216d7eb..d3e8072065a891 100644 --- a/.github/workflows/danger_pr.yml +++ b/.github/workflows/danger_pr.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, edited, reopened, synchronize] +permissions: + contents: read + jobs: danger: runs-on: ubuntu-latest diff --git a/.github/workflows/needs-attention.yml b/.github/workflows/needs-attention.yml index 5eea15c614de35..f1ec7e8813475c 100644 --- a/.github/workflows/needs-attention.yml +++ b/.github/workflows/needs-attention.yml @@ -4,8 +4,14 @@ on: issue_comment: types: created +permissions: + contents: read + jobs: applyNeedsAttentionLabel: + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for hramos/needs-attention to label issues name: Apply Needs Attention Label runs-on: ubuntu-latest steps: diff --git a/.github/workflows/on-issue-labeled.yml b/.github/workflows/on-issue-labeled.yml index 0307601237b3b7..f99404e94fae8a 100644 --- a/.github/workflows/on-issue-labeled.yml +++ b/.github/workflows/on-issue-labeled.yml @@ -4,8 +4,14 @@ on: issues: types: labeled +permissions: + contents: read + jobs: respondToIssueBasedOnLabel: + permissions: + contents: read # for hramos/respond-to-issue-based-on-label to fetch config file + issues: write # for hramos/respond-to-issue-based-on-label to update issues name: Respond to Issue Based on Label runs-on: ubuntu-latest steps: diff --git a/.github/workflows/test-docker-android.yml b/.github/workflows/test-docker-android.yml index 0af080466c32ef..6951e180eb81ce 100644 --- a/.github/workflows/test-docker-android.yml +++ b/.github/workflows/test-docker-android.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read + jobs: test-docker-android: name: Test Docker