-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(permissions): provided only the necessary permissions to the GITHUB_TOKEN
#2566
Conversation
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
i'm supportive of restricting the permissions along these lines, but i think this is currently incomplete. for both workflows, the global permissions should be the permissions needed for the release should be limited to that job specifically. also, there are other permissions needed to enable all of the release behaviors. please refer to the docs for the github plugin for more details: https://github.com/semantic-release/github#github-authentication |
Please take a look now. |
.github/workflows/release.yml
Outdated
permissions: | ||
contents: read # for checkout | ||
jobs: | ||
release: | ||
permissions: | ||
contents: write # to be able to publish a GitHub release | ||
issues: write # to be able to comment on released issues | ||
pull-requests: write # to be able to comment on released pull requests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why split up permissions, there is only one job. I'd combine the permissions all under the top level permissions
key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because this is what @travi asked?
for both workflows, the global permissions should be
contents: read
to only allow checkout.the permissions needed for the release should be limited to that job specifically.
It only makes the difference if later a new job is added. The new job will get the global permissions if it doesn't define its own, even if it doesn't need them, so I agree that it is better to have the restrictive global permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okidoke, apologies, totally makes sense, I missed Matt's message
it looks like prettier isnt happy with some of the formatting in the release workflow definition. would you mind taking a look at resolving that @sashashura? once we get the build fully passing, we can get this merged in |
Fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
GITHUB_TOKEN
🎉 This PR is included in version 20.0.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
🎉 This PR is included in version 21.0.0-beta.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_request
from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.