Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Set permissions for GitHub actions #15103

Merged
merged 1 commit into from
Jun 25, 2022
Merged

chore: Set permissions for GitHub actions #15103

merged 1 commit into from
Jun 25, 2022

Conversation

timvandermeij
Copy link
Contributor

@timvandermeij timvandermeij commented Jun 25, 2022
edited
Loading

This PR is a fixup of #15010 since it's important that we apply this security improvement. The original commit message and author information is retained.

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Signed-off-by: neilnaveen [email protected]

@neilnaveen @timvandermeij
chore: Set permissions for GitHub actions
83ecc3f 
 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: neilnaveen <[email protected]>
Snuffleupagus
Snuffleupagus approved these changes Jun 25, 2022
View reviewed changes
Copy link
Collaborator

@Snuffleupagus Snuffleupagus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you :-)

@timvandermeij timvandermeij merged commit def1a30 into mozilla:master Jun 25, 2022
@timvandermeij timvandermeij deleted the permissions branch June 25, 2022 13:39
@ZeroXClem ZeroXClem mentioned this pull request Aug 12, 2024
Closed
@earthywh earthywh mentioned this pull request Sep 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Snuffleupagus Snuffleupagus Snuffleupagus approved these changes

Assignees
No one assigned
Labels
other
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timvandermeij @Snuffleupagus @neilnaveen