Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: tighten GitHub workflow permissions#15282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
matifali merged 1 commit intomainfromatif/optimize-gh-workflow-permissions
Oct 30, 2024

Conversation

matifali
Copy link
Member

@matifalimatifali commentedOct 30, 2024
edited
Loading

Make sure the project's workflows follow the principle of least privilege.

Contributes tocoder/internal#89

Addresses the following observations:

{      "name": "Token-Permissions",      "score": 0,      "reason": "detected GitHub workflow tokens with excessive permissions",      "details": [        "Warn: jobLevel 'actions' permission set to 'write': .github/workflows/stale.yaml:13",        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/ci.yaml:17",        "Warn: no topLevel permission defined: .github/workflows/contrib.yaml:1",        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/docker-base.yaml:26",        "Warn: no topLevel permission defined: .github/workflows/nightly-gauntlet.yaml:1",        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/pr-cleanup.yaml:12",        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/pr-deploy.yaml:33",        "Warn: no topLevel permission defined: .github/workflows/release-validation.yaml:1",        "Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yaml:22",        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yaml:24",        "Warn: no topLevel permission defined: .github/workflows/stale.yaml:1",      ],      "documentation": {        "short": "Determines if the project's workflows follow the principle of least privilege.",        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"      }    },

Align permissions with OpenSSF scorecard recommendations to enhancesecurity. Move permissions to specific jobs to grant only what'snecessary.
@matifalimatifali reopened thisOct 30, 2024
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsOct 30, 2024
@matifali
Copy link
MemberAuthor

@coadler@mafredri I am a bit hesitant to merge this now as it also affectsrelease.yaml.
But we need to test it in some way.

All the changes are very straightforward and should not change any behavior.

cc:@stirby forrelease.yaml

@ethanndickson
Copy link
Member

FWIW, the mainrelease job inrelease.yaml has the least opportunity for error - the permissions haven't been split up in any way.

@matifali
Copy link
MemberAuthor

Thank you@ethanndickson that's what I think. I ma merging it then :)

@matifalimatifali merged commitafacb07 intomainOct 30, 2024
56 checks passed
@matifalimatifali deleted the atif/optimize-gh-workflow-permissions branchOctober 30, 2024 11:17
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@ethanndicksonethanndicksonethanndickson approved these changes

@coadlercoadlerAwaiting requested review from coadler

Assignees

@matifalimatifali

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@matifali@ethanndickson
[8]ページ先頭
©2009-2025 Movatter.jp