From: Phillip Wood <phillip.wood123@gmail.com>
To: Alex via GitGitGadget <gitgitgadget@gmail.com>, git@vger.kernel.org
Cc: Alex <aleksandrosansan@gmail.com>
Subject: Re: [PATCH] ci: restrict workflow's github token permissions
Date: Thu, 22 Sep 2022 16:29:38 +0100 [thread overview]
Message-ID: <ed506937-44fc-125f-7baa-a187b12414c9@dunelm.org.uk> (raw)
In-Reply-To: <pull.1337.git.git.1663831649705.gitgitgadget@gmail.com>
Hi Alex
On 22/09/2022 08:27, Alex via GitGitGadget wrote:
> From: sashashura <aleksandrosansan@gmail.com>
>
> Currently the workflow runs with the following permissions:
> GITHUB_TOKEN Permissions
> Actions: write
> Checks: write
> Contents: write
> Deployments: write
> Discussions: write
> Issues: write
> Metadata: read
> Packages: write
> Pages: write
> PullRequests: write
> RepositoryProjects: write
> SecurityEvents: write
> Statuses: write
Thanks for working on this. On the face of it restricting the
permissions sounds like a good idea but unfortunately the commit message
does not explain the reasoning for the change being made or the
implications of the change. Some of the notes below the '---' line
should be rewritten into the commit message to explain the change. I
would also be helpful to briefly explain why we don't need any of these
permissions. I'm not familiar with github's permissions model so it's
hard to judge if this is a sensible change. It is not clear to me what
all the permissions mean - does write permission control writing to my
fork when I run a ci job or something else? Our ci scripts do cache some
state between jobs so we can skip running the tests if the tree is
unchanged, it's not clear if that is affected by this change.
Best Wishes
Phillip
> Signed-off-by: sashashura <aleksandrosansan@gmail.com>
> ---
> ci: restrict workflow's github token permissions
>
> This PR adds explicit permissions section
> [https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions]
> to workflows. This is a security best practice because by default
> workflows run with extended set of permissions
> [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token]
> (except from on: pull_request from external forks
> [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/]).
> By specifying any permission explicitly all others are set to none. By
> using the principle of least privilege the damage a compromised workflow
> can do (because of an injection
> [https://securitylab.github.com/research/github-actions-untrusted-input/]
> or compromised third party tool or action) is restricted. It is
> recommended to have most strict permissions on the top level
> [https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions]
> and grant write permissions on job level
> [https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs]
> case by case.
>
> check-whitespace.yml is triggered by pull_request only and receives
> restricted token already. l10n.yml has permissions on job level already.
> So I didn't make any changes to them. In both cases it is possible to
> add explicit global lever permissions just for consistency if you
> prefer. Let me know.
>
> Currently
> [https://github.com/git/git/actions/runs/3100948073/jobs/5021781329] the
> workflow runs with the following permissions: GITHUB_TOKEN Permissions
> Actions: write Checks: write Contents: write Deployments: write
> Discussions: write Issues: write Metadata: read Packages: write Pages:
> write PullRequests: write RepositoryProjects: write SecurityEvents:
> write Statuses: write
>
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1337%2Fsashashura%2Fpatch-2-v1
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1337/sashashura/patch-2-v1
> Pull-Request: https://github.com/git/git/pull/1337
>
> .github/workflows/main.yml | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
> index 831f4df56c5..3ce9302c589 100644
> --- a/.github/workflows/main.yml
> +++ b/.github/workflows/main.yml
> @@ -5,8 +5,14 @@ on: [push, pull_request]
> env:
> DEVELOPER: 1
>
> +permissions:
> + contents: read
> +
> jobs:
> ci-config:
> + permissions:
> + contents: read
> + actions: read # for github.actions.getWorkflowRun
> name: config
> runs-on: ubuntu-latest
> outputs:
>
> base-commit: dda7228a83e2e9ff584bf6adbf55910565b41e14
prev parent reply other threads:[~2022-09-22 15:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 7:27 [PATCH] ci: restrict workflow's github token permissions Alex via GitGitGadget
2022-09-22 15:29 ` Phillip Wood [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed506937-44fc-125f-7baa-a187b12414c9@dunelm.org.uk \
--to=phillip.wood123@gmail.com \
--cc=aleksandrosansan@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=phillip.wood@dunelm.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).