New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ci): Set token permissions to read only #11442
Conversation
Thanks for opening a PR! 💯
Howto
More infoPlease take a moment to read through the Magma project's
If this is your first Magma PR, also consider reading
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To my eye, this PR may be doing a couple different things (and it might be easier to review / roll back / etc if they were separated).
One large function of this PR appears to be the pinning of ~all GitHub Action external workflow references to a particular git hash. I suspect this is more secure (preventing upstream tampering of what v2 means) - but the PR description as it stands now does not discuss this large set of changes specifically (and they seem not necessary for the PR topic at hand).
Can we split these out into their own PR with a description / rationale?
Happy to see you used https://app.stepsecurity.io/. The code for that is at https://github.com/step-security/secure-workflows. Please do create an issue if you see areas of improvement. Also, I am working on automating scorecard requirements, so if you have pain points etc, please let me know. Thanks! |
@electronjoe, yes you're right. I made the changes you suggested, so this PR only contains the changes described here. |
Oops! Looks like you failed the Howto
♻️ Updated: ✅ The check is passing the Python Format Check after the last commit. |
I don't think error "undefined: os.ReadFile / os.WriteFile" has anything to do with the changes I made. I haven't changed file magma/src/go/capture/gen/main.go and everything seems ok to me in the file. |
@mstre123 I seem to also see this error when running locally inside the Magma VM. Any clue why it is failing? |
looks like the error is being thrown here i wonder if the permission change in this diff breaks how we do os reads and writes. |
oh actually took a closer look
|
Signed-off-by: Kristijan <spikey979@gmail.com>
@mstre123, regarding the error in file src/go/capture/gen/main.go -> undefined: os.ReadFile / os.WriteFile… |
@tmdzk / @quentinDERORY ? |
This reverts commit 3f81d14.
Signed-off-by: Kristijan <spikey979@gmail.com>
Signed-off-by: Kristijan <spikey979@gmail.com>
Signed-off-by: Kristijan <spikey979@gmail.com>
…agma#12224) This reverts commit 3f81d14.
Signed-off-by: Kristijan spikey979@gmail.com
feat(ci): Set token permissions to read only
Summary
The OpenSSF Scorecard flagged a number of Dangerous-Workflow items. This check "Determines if the project's GitHub Action workflows avoid dangerous patterns." For detailed background see https://github.com/ossf/scorecard/blob/5d3f19838078ad86630f1f80c5ad051249594a1a/docs/checks.md#token-permissions
There were 42 instances of non read-only tokens detected in GitHub workflows. See token-permissions.txt
In all files I added top level permissions set to read-all. I also used online tool https://app.stepsecurity.io/
Additional Information
This is for issue: https://github.com/ospoco/magma-issue-tracker/issues/54