Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a) add license/Copyright header, b) add missing TopLevel Security #6184

Merged
merged 4 commits into from
Jun 18, 2024
Merged

a) add license/Copyright header, b) add missing TopLevel Security #6184

merged 4 commits into from
Jun 18, 2024

Conversation

andife
Copy link
Member

@andife andife commented Jun 17, 2024
edited
Loading

Description

Motivation and Context

The current analysis done by "openssf scorecard", which could be found at https://api.securityscorecards.dev/projects/github.com/onnx/onnx

displays the following points:

    {
      "name": "Token-Permissions",
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "details": [
        "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto_update_doc.yml:15",
        "Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:35",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:36",
        "Warn: jobLevel 'checks' permission set to 'write': .github/workflows/main.yml:204",
        "Warn: no topLevel permission defined: .github/workflows/auto_update_doc.yml:1",
        "Warn: no topLevel permission defined: .github/workflows/check_urls.yml:1",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/clang_tidy_review.yml:12",
        "Warn: topLevel 'checks' permission set to 'write': .github/workflows/clang_tidy_review_post.yml:12",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24",
        "Warn: no topLevel permission defined: .github/workflows/dco_merge_group.yml:1",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:15",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/pages.yml:12",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_linux_aarch64.yml:14",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_linux_x86_64.yml:14",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_mac.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/release_win.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/reuse.yml:10",
        "Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:22",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yml:17",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/weekly_mac_ci.yml:18",
        "Info: topLevel 'contents' permission set to 'read': .github/workflows/win_no_exception_ci.yml:14"
      ],
      "documentation": {
        "short": "Determines if the project's workflows follow the principle of least privilege.",
        "url": "https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions"
      }

This pull request handles the warnings:

"Warn: no topLevel permission defined"

in order to improve security and get a higher score ;-)

This change is also recommended by: https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions

@andife
add header
0243e5e 
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
@andife andife requested a review from a team as a code owner June 17, 2024 08:58
@codecov Codecov
Copy link

codecov bot commented Jun 17, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.09%. Comparing base (83194ed) to head (7888838).
Report is 49 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6184      +/-   ##
==========================================
+ Coverage   56.95%   57.09%   +0.14%     
==========================================
  Files         506      506              
  Lines       30467    30974     +507     
  Branches     4592     4603      +11     
==========================================
+ Hits        17353    17686     +333     
- Misses      12285    12463     +178     
+ Partials      829      825       -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@andife
fix retry count, top level
686f28a 
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
@andife
add missing permissions
59f303c 
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
@andife andife changed the title WIP: a) add license/Copyright header, b) TopLevel Security a) add license/Copyright header, b) add missing TopLevel Security Jun 17, 2024
@andife andife added this pull request to the merge queue Jun 18, 2024
Merged via the queue into onnx:main with commit ae9029d Jun 18, 2024
38 checks passed
@andife andife deleted the fix_top branch June 18, 2024 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xadupre xadupre xadupre left review comments

@justinchuby justinchuby justinchuby approved these changes

Assignees
No one assigned
Labels
None yet
Projects
PR Tracker
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andife @justinchuby @xadupre