ci(permissions): provided only the necessary permissions to the GITHUB_TOKEN
#2566
Conversation
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
|
An example of a recent workflow run with unrestricted permissions: |
|
i'm supportive of restricting the permissions along these lines, but i think this is currently incomplete. for both workflows, the global permissions should be the permissions needed for the release should be limited to that job specifically. also, there are other permissions needed to enable all of the release behaviors. please refer to the docs for the github plugin for more details: https://github.com/semantic-release/github#github-authentication |
|
Please take a look now. |
.github/workflows/release.yml
Outdated
| permissions: | ||
| contents: read # for checkout | ||
| jobs: | ||
| release: | ||
| permissions: | ||
| contents: write # to be able to publish a GitHub release | ||
| issues: write # to be able to comment on released issues | ||
| pull-requests: write # to be able to comment on released pull requests |
There was a problem hiding this comment.
why split up permissions, there is only one job. I'd combine the permissions all under the top level permissions key
There was a problem hiding this comment.
Because this is what @travi asked?
for both workflows, the global permissions should be
contents: readto only allow checkout.the permissions needed for the release should be limited to that job specifically.
It only makes the difference if later a new job is added. The new job will get the global permissions if it doesn't define its own, even if it doesn't need them, so I agree that it is better to have the restrictive global permissions.
There was a problem hiding this comment.
okidoke, apologies, totally makes sense, I missed Matt's message
|
it looks like prettier isnt happy with some of the formatting in the release workflow definition. would you mind taking a look at resolving that @sashashura? once we get the build fully passing, we can get this merged in |
|
Fixed |
travi
changed the title
GITHUB_TOKEN
|
🎉 This PR is included in version 20.0.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 21.0.0-beta.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_requestfrom external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.