-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Workflows security hardening #10510
Comments
In the case of shared workflows (ci.yml, action-ci.yml), set the permissions on the 'inner' shared workflow, rather that on the outer (such as framework ci.yml) Create PR's to update workflow files in:
Leave admin running for a few weeks to validate it's working correctly. Also manually run the "Update JS" workflow to confirm that works then delete created PR. When satisfied update module-standardiser to update the workflow files for repos - dispatch-ci.yml, keepalive.yml, merge-up.yml, update-js.yml Also leave gha-ci working for a few weeks. Once we're happy with that use module-standardiser to update the gha specific workflow files - action-ci.yml, auto-tag.yml Manually run .github workflows post merge to validate You can use the following to work out the required scopes for API calls, use an finely grained token with zero permissions and access to some random repo
silverstripe/admin
gha-ci
gha-action-ci
.github
permissions required for gha actions (not including gha shared workflows gha-ci and gha-action-ci) gha-run-tests
gha-merge-up
gha-generate-matrix
gha-dispatch-ci
gha-trigger-ci
gha-gauge-release
gha-issue
gha-keepalive
gha-update-js
gha-pull-request
gha-tag-release
gha-auto-tag
metadata Validation that the Push from repo - allowed
PR from repo - allowed
PR from forked repo - disallowed
Validation that raw git commands require a Test raw git commands creating a branch with contents:write on push event
Test raw git commands creating a branch with contents:read on push event
Validation that raw git commands without git push only don't require any permissions
|
Initial PRs merged. Assigning to Steve for next steps |
PRs merged |
Our CI builds only need read access to the repos to do their job ... except for when we do things like auto tagging?
Acceptance criteria
Original PR
Note that this PR was made before the ACs were created. If it isn't fit for purpose, close it and create new PRs as appropriate.
Workflow PRs
Once the above PRs have been merged
Module standardiser PR
Action PRs - Update docs
The text was updated successfully, but these errors were encountered: