Set minimal scoped permissions to github workflows #348
Comments
|
Yes, having minimal permissions is preferable, so feel free submit a PR! |
|
I think we should just need Unlike rust-osdev/x86_64#412, we don't currently publish via Github Actions, so we don't need |
josephlr
added a commit
that referenced
this issue
Mar 24, 2023
Fixes #348 we only need to read the contents of the repo to run our tests, no other permissions are needed, as we currently do not publish via our CI jobs. Signed-off-by: Joe Richey <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I would like to suggest to getrandom project to set minimal scoped permissions to its github workflows (in this case the tests.yml file). This means setting the permissions as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
This can be seen in the Action run step "Set up job" such as https://github.com/rust-random/getrandom/actions/runs/4412157849/jobs/7731354938.
Let me know if a PR is welcome with the changes mentioned above.
Thanks!
Disclosure: I'm from Google working with the OpenSSF to improve supply-chain security in many open source projects.
The text was updated successfully, but these errors were encountered: