Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GitHub][workflows] Add minimum GitHub token permissions #21782

Merged
merged 1 commit into from Aug 26, 2022
Merged

[GitHub][workflows] Add minimum GitHub token permissions #21782

merged 1 commit into from Aug 26, 2022

Conversation

varunsh-coder
Copy link
Contributor

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.
All GitHub Actions workflows have a GITHUB_TOKEN with write access to multiple scopes.
Here is an example of the permissions in one of the workflows:
https://github.com/xbmc/xbmc/runs/7999518209?check_suite_focus=true#step:1:19

After this change, the scopes will be reduced to the minimum needed for each workflow.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

Motivation and context

This project is part of the critical projects list as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

How has this been tested?

While I have not tested these particular workflows, I have added minimum permissions for similar workflows in other repositories.

What is the effect on users?

No effect on users

Screenshots (if appropriate):

N/A

Types of change

  • Bug fix (non-breaking change which fixes an issue)
  • Clean up (non-breaking change which removes non-working, unmaintained functionality)
  • Improvement (non-breaking change which improves existing functionality)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that will cause existing functionality to change)
  • Cosmetic change (non-breaking change that doesn't touch code)
  • None of the above (please explain below)

Improvement to the workflows.

Checklist:

  • My code follows the Code Guidelines of this project
  • My change requires a change to the documentation, either Doxygen or wiki
  • I have updated the documentation accordingly
  • I have read the Contributing document
  • I have added tests to cover my change
  • All new and existing tests passed

@varunsh-coder
[GitHub][workflows] Add minimum GitHub token permissions
c8556bd 
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
@varunsh-coder varunsh-coder mentioned this pull request Aug 24, 2022
Open
@enen92 enen92 added this to the Nexus 20.0 Alpha 3 milestone Aug 26, 2022
enen92
enen92 approved these changes Aug 26, 2022
View reviewed changes
Copy link
Member

@enen92 enen92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sane. Let's get it in and look for possible regressions, if any.
Thanks much for the contribution

@enen92 enen92 merged commit 404c54b into xbmc:master Aug 26, 2022
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enen92 enen92 enen92 approved these changes

Assignees
No one assigned
Labels
Component: Build v20 Nexus
Projects
None yet
Milestone
Nexus 20.0 Alpha 3
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@varunsh-coder @enen92