-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Workflows security hardening #2511
Conversation
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
The flip side is we'll need to constantly figure out what each permission controls -- thus which permissions we need for each operation. E.g.:
How probable and severe are the risks anyway? E.g.:
Let's compose a basic risk heat map so that we can decide which risks we defend against and which we don't. |
I agree that the documentation could have been better. Though I don't agree, that it introduces a constant burden. After the workflows run with minimal privileges it requires modification only if you add a job or step that requires new permission. If that happens you will see something like "Resource is not available". Often the missing permission is obvious from the purpose of the action: comment on issue, label pull request, etc. The risk of not hardening the workflows is low:
From my point of view it is more like security hygene not running commands with sudo unnecessarily. |
That's the problem. We do currently plan to add new workflows:
|
So we can merge this, it won't hurt anything now, but whenever we start tinkering with workflow, it'll probably start causing problems and will be removed since it's wasted time and nerves for questionable gain... |
I would rather not merge then if you anticipate it will be removed. |
@pyenv/pyenv-core-committers , any thoughts on this? |
I see that the current risk is low, but "better safe than sorry". |
# Conflicts: # .github/workflows/no-response.yml
Okay, in it goes. @sashashura , thanks for adding explanations why the permissons are needed! |
Make sure you have checked all steps below.
Prerequisite
Description
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_request
from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.
Tests