Set permissions for GitHub actions #11367
Conversation
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <[email protected]>
spring-projects-issues
added
the
status: waiting-for-triage
There was a problem hiding this comment.
Thanks for the PR @naveensrinivasan Looks good to me. @sjohnr Can you please take a second look over this and if it looks good merge?
rwinch
changed the title
rwinch
added
in: build
There was a problem hiding this comment.
Thanks @naveensrinivasan! See comments below. Also, according to the scorecard reference you provided:
The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the top level and the required write permissions are declared at the run-level. One point is reduced from the score if all jobs have their permissions defined but the top level permissions are not defined. This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be left undefined because of human error.
If I'm understanding this correctly, we should have every workflow file in this repo contain at a minimum:
permissions:
contents: readAm I understanding that correctly? I see the following missing files:
- backport-bot.yml
- release-scheduler.yml
- update-scheduled-release-version.yml
|
Thanks @naveensrinivasan, this is merged as 8f93a7f. I've also included a polish commit 3f4efed to add default permissions to each workflow. |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: naveen <[email protected]> Closes gh-11367
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: naveen <[email protected]> Closes gh-11367
github-actions
bot
added
the
status: backported
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: naveen <[email protected]> Closes gh-11367
|
FWIW, these kind of concerns are IMO better addressed at either repository or organization level under Actions settings: That makes workflows easier to maintain as you only override permissions where needed. Note that I left a similar comment in spring-projects/spring-boot#31344 (comment). |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: naveen [email protected]