From: "Alex via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Alex <aleksandrosansan@gmail.com>,
sashashura <aleksandrosansan@gmail.com>
Subject: [PATCH] ci: restrict workflow's github token permissions
Date: Thu, 22 Sep 2022 07:27:29 +0000 [thread overview]
Message-ID: <pull.1337.git.git.1663831649705.gitgitgadget@gmail.com> (raw)
From: sashashura <aleksandrosansan@gmail.com>
Currently the workflow runs with the following permissions:
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
Signed-off-by: sashashura <aleksandrosansan@gmail.com>
---
ci: restrict workflow's github token permissions
This PR adds explicit permissions section
[https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions]
to workflows. This is a security best practice because by default
workflows run with extended set of permissions
[https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token]
(except from on: pull_request from external forks
[https://securitylab.github.com/research/github-actions-preventing-pwn-requests/]).
By specifying any permission explicitly all others are set to none. By
using the principle of least privilege the damage a compromised workflow
can do (because of an injection
[https://securitylab.github.com/research/github-actions-untrusted-input/]
or compromised third party tool or action) is restricted. It is
recommended to have most strict permissions on the top level
[https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions]
and grant write permissions on job level
[https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs]
case by case.
check-whitespace.yml is triggered by pull_request only and receives
restricted token already. l10n.yml has permissions on job level already.
So I didn't make any changes to them. In both cases it is possible to
add explicit global lever permissions just for consistency if you
prefer. Let me know.
Currently
[https://github.com/git/git/actions/runs/3100948073/jobs/5021781329] the
workflow runs with the following permissions: GITHUB_TOKEN Permissions
Actions: write Checks: write Contents: write Deployments: write
Discussions: write Issues: write Metadata: read Packages: write Pages:
write PullRequests: write RepositoryProjects: write SecurityEvents:
write Statuses: write
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1337%2Fsashashura%2Fpatch-2-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1337/sashashura/patch-2-v1
Pull-Request: https://github.com/git/git/pull/1337
.github/workflows/main.yml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 831f4df56c5..3ce9302c589 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,8 +5,14 @@ on: [push, pull_request]
env:
DEVELOPER: 1
+permissions:
+ contents: read
+
jobs:
ci-config:
+ permissions:
+ contents: read
+ actions: read # for github.actions.getWorkflowRun
name: config
runs-on: ubuntu-latest
outputs:
base-commit: dda7228a83e2e9ff584bf6adbf55910565b41e14
--
gitgitgadget
next reply other threads:[~2022-09-22 7:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 7:27 Alex via GitGitGadget [this message]
2022-09-22 15:29 ` [PATCH] ci: restrict workflow's github token permissions Phillip Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pull.1337.git.git.1663831649705.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=aleksandrosansan@gmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).