New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add GitHub token permissions for workflows #21162
Conversation
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your PR. I feel like the permissions you added won't be sufficient for some of the workflows. Can we/you somehow check if this would work?
@@ -21,6 +21,9 @@ env: | |||
# Enable debug for the `gradle-build-action` cache operations | |||
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true | |||
|
|||
permissions: | |||
contents: read |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the gradle build action need more access than reading the contents?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on my code review of https://github.com/gradle/gradle-build-action, it does not use the GITHUB_TOKEN
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if github action needs to update the commit status, which requires write access. Anyway, we can start with strictest policy and adjust it later.
@bot-gradle test and merge |
No milestone for this PR. Please set a milestone and retry. |
@bot-gradle test and merge |
OK, I've already triggered a build for you. |
Context
This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.
GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows
This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.
Signed-off-by: Varun Sharma varunsh@stepsecurity.io
Contributor Checklist
<subproject>/src/integTest
) to verify changes from a user perspective<subproject>/src/test
) to verify logic./gradlew sanityCheck
./gradlew <changed-subproject>:quickTest
Gradle Core Team Checklist