feat(ci): Set token permissions to read only

[spikey979]

Signed-off-by: Kristijan spikey979@gmail.com

feat(ci): Set token permissions to read only

Summary

The OpenSSF Scorecard flagged a number of Dangerous-Workflow items. This check "Determines if the project's GitHub Action workflows avoid dangerous patterns." For detailed background see https://github.com/ossf/scorecard/blob/5d3f19838078ad86630f1f80c5ad051249594a1a/docs/checks.md#token-permissions
There were 42 instances of non read-only tokens detected in GitHub workflows. See
token-permissions.txt

In all files I added top level permissions set to read-all. I also used online tool https://app.stepsecurity.io/

Additional Information

This is for issue: https://github.com/ospoco/magma-issue-tracker/issues/54

[github-actions]

Thanks for opening a PR! 💯

A couple initial guidelines

• All commits must be signed off. This is enforced by DCO check.
• All PR titles must follow the semantic commits format. This is enforced by Semantic PR.

Howto

• Reviews. The "Reviewers" listed for this PR are the Magma maintainers who will shepherd it.
• Checks. All required CI checks must pass before merge.
• Merge. Once approved and passing CI checks, use the ready2merge label to indicate the maintainers can merge your PR.

More info

Please take a moment to read through the Magma project's

• Contributing Conventions for norms around contributed code

If this is your first Magma PR, also consider reading

• Developer Onboarding for onboarding as a new Magma developer
• Development Workflow for guidance on your first pull request
• CI Checks for points of contact for failing or flaky CI checks
• GitHub-to-Slack mappings for Magma maintainers for guidance on how to contact maintainers on Slack

[electronjoe]

To my eye, this PR may be doing a couple different things (and it might be easier to review / roll back / etc if they were separated).

One large function of this PR appears to be the pinning of ~all GitHub Action external workflow references to a particular git hash. I suspect this is more secure (preventing upstream tampering of what v2 means) - but the PR description as it stands now does not discuss this large set of changes specifically (and they seem not necessary for the PR topic at hand).

Can we split these out into their own PR with a description / rationale?

[varunsh-coder]

Happy to see you used https://app.stepsecurity.io/. The code for that is at https://github.com/step-security/secure-workflows. Please do create an issue if you see areas of improvement. Also, I am working on automating scorecard requirements, so if you have pain points etc, please let me know. Thanks!

[spikey979]

@electronjoe, yes you're right. I made the changes you suggested, so this PR only contains the changes described here.

[github-actions]

feg-workflow

    2 files  202 suites   33s ⏱️
363 tests 363 ✔️ 0 💤 0 ❌
377 runs  377 ✔️ 0 💤 0 ❌

Results for commit ccac5a0.

♻️ This comment has been updated with latest results.

[github-actions]

nms-workflow

0 files  0 suites   0s ⏱️
0 tests 0 ✔️ 0 💤 0 ❌

Results for commit ccac5a0.

♻️ This comment has been updated with latest results.

[github-actions]

cloud-workflow

    7 files  351 suites   2m 30s ⏱️
960 tests 960 ✔️ 0 💤 0 ❌

Results for commit ccac5a0.

♻️ This comment has been updated with latest results.

[github-actions]

agw-workflow

  50 files    77 suites   4m 55s ⏱️
896 tests 887 ✔️ 9 💤 0 ❌
897 runs  888 ✔️ 9 💤 0 ❌

Results for commit ccac5a0.

♻️ This comment has been updated with latest results.

[github-actions]

Oops! Looks like you failed the Python Format Check.

Howto

• Instructions on running the formatter and linter locally are provided in the format AGW doc
• Guide to the different CI checks and resolution guidelines

♻️ Updated: ✅ The check is passing the Python Format Check after the last commit.

[spikey979]

I don't think error "undefined: os.ReadFile / os.WriteFile" has anything to do with the changes I made. I haven't changed file magma/src/go/capture/gen/main.go and everything seems ok to me in the file.

[themarwhal]

@mstre123 I seem to also see this error when running locally inside the Magma VM. Any clue why it is failing?
@quentinDERORY Please review.

[mstre123]

@mstre123 I seem to also see this error when running locally inside the Magma VM. Any clue why it is failing? @quentinDERORY Please review.

looks like the error is being thrown here
https://github.com/magma/magma/blob/master/src/go/capture/gen/main.go#L100
so that is trying to read https://github.com/magma/magma/blob/master/src/go/capture/gen/main.go#L40
"/home/vagrant/magma/lte/gateway/python/integ_tests/defs.mk"
which is still on the branch
https://github.com/spikey979/magma/blob/token_permissions/lte/gateway/python/integ_tests/defs.mk

i wonder if the permission change in this diff breaks how we do os reads and writes.

[mstre123]

oh actually took a closer look

note: module requires Go 1.17

[spikey979]

@mstre123, regarding the error in file src/go/capture/gen/main.go -> undefined: os.ReadFile / os.WriteFile…
The test that failed referred to the .github/workflows/golang-build-test.yml file, so I first removed the changes I made in that file, however the test still failed with the same error.
After that, in file src/go/capture/gen/main.go I replaced os.WriteFile and os.ReadFile commands with ioutil.WriteFile and ioutil.ReadFile commands and now the test pass.
According to the Go documentation, commands os.ReadFile / os.WriteFile should be identical to ioutil.WriteFile / ioutil.ReadFile, so I have no idea why the os. commands failed the test.

[themarwhal]

@tmdzk / @quentinDERORY ?