Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Set permissions for GitHub actions #4355

Closed
wants to merge 1 commit into from
Closed

chore: Set permissions for GitHub actions #4355

wants to merge 1 commit into from

Conversation

naveensrinivasan
Copy link

@naveensrinivasan
chore: Set permissions for GitHub actions
8ae18f6 
 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
@Nargonath
Copy link
Member

Nargonath commented May 30, 2022
edited
Loading

Thank you for your suggestion @naveensrinivasan. I didn't have the time right now to go through all the links. We use a centralized template for the CI of all our modules so the changes won't happen here but you gave us the direction to look at. Thank you. :)

@Nargonath
Copy link
Member

Looking at the different links you provided plus the documentation, I believe we still need content: read permissions for our test since we're cloning the repo to install dependencies and run the tests. We're also less at risk regarding write permissions in public fork as we do not use pull_request_target event for our actions but pull_request. Stating a GitHub blog:

The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks which are always read. These new settings allow you to follow a principle of least privilege in your workflows.

Source: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/.

I think setting:

permissions:
  contents: read

at the top of the workflow template should be enough and we shouldn't put permissions: contents: none for the tests. I may be wrong so if that's the case please feel free to speak up.

I'll close this issue and handle it in another PR since we don't need the other modification you suggested.

Thank you for the report.

@Nargonath Nargonath closed this Jun 11, 2022
@Nargonath Nargonath self-assigned this Jun 11, 2022
@Nargonath Nargonath mentioned this pull request Jun 11, 2022
Open
Nargonath added a commit that referenced this pull request Jun 11, 2022
@Nargonath
Testing #4355 suggestions
c5bc8a4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Nargonath Nargonath

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@naveensrinivasan @Nargonath