ci: declare contents:read on license + yarn-audit workflows#5054
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (2)
WalkthroughThree GitHub Actions workflows now declare explicit permissions restricting the GITHUB_TOKEN to ChangesWorkflow Permissions Hardening
🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Actually might be unrelated to this PR - will get to this later - possibly tomorrow. |
|
I have fixed CI with my other PRs, so once they are merged I will focus on merging yours, example: #5066 - ETA is tomorrow. Once my PRs and your PRs are merged I'll create a cc @mlehotskylf |
lukaszgryglicki
left a comment
lukaszgryglicki
left a comment
There was a problem hiding this comment.
/lgtm - will need rebase because I've fixed some failing CI in another PR. Once that PR is fixed this should became green.
|
Please rebase to newest |
|
CI still fails, was it rebased? Please LMK when it is ready for another review. Thanks. |
|
I've created another PR: #5071 where the exact same "Build and test Pull Request" passes with the same |
|
Looks like I know why CI fails - it is because the PR is from fork and forks don't get GitHub repo's secrets populated and some of repos used by go dependencies are private, so build/fetching fails and CI is red. Investigating/Researching this. |
|
Once this is merged #5073 - CI should be green for forks after rebasing. |
License-header-check runs ./check-headers.sh against the cla-backend trees. The two yarn-scan workflows run yarn install + yarn audit on cla-backend-go and cla-backend after checkout. No GitHub API write, no comment-on-PR. contents:read at workflow scope matches the per-job style used by build-pr.yml (id-token:write + contents:read + pull-requests:write), go-audit.yml, license-compliance-go.yml, and security-scan-go.yml. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
force-pushed
the
chore/audit-and-license-permissions
branch
from
fcdb74c to
648f16c
Compare
|
@mlehotskylf @lukaszgryglicki Pushed the commit again with verified commit signature |
|
Checking why CI fails as you only added permissions read. |
|
OK, I now think we should go with it, and I will address in another PR - probably just a new vuln. |
3 participants
Pins three workflows to
contents: readat workflow scope.license-header-check.ymlruns./check-headers.shagainst the cla-backend, cla-backend-legacy, cla-backend-go and cla-frontend trees. The two yarn-scan workflows runyarn install+yarn auditoncla-backend-goandcla-backendrespectively. None of them write to the repo or post comments.Defense-in-depth motivation is the CVE-2025-30066
tj-actions/changed-filesprecedent: a compromised third-party action runs inside the existing job context and exfiltrates the workflowGITHUB_TOKENvia build logs. The blast radius equals the token's issued scope; the explicit cap bounds it.Style matches the per-job blocks already in
build-pr.yml,go-audit.yml,license-compliance-go.yml,security-scan-go.yml, and the rest of the hardened set. YAML validated locally withyaml.safe_load.