- Notifications
You must be signed in to change notification settings - Fork20.6k
Commitc909d6b
authored
Build: Limit permissions for GitHub workflows
Add explicit permissions section[^1] to workflows. This is a securitybest practice because by default workflows run with extended setof permissions[^2] (except from `on: pull_request` from external forks[^3].By specifying any permission explicitly all others are set to none. By usingthe principle of least privilege the damage a compromised workflow can do(because of an injection[^4] or compromised third party tool or action) isrestricted. It is recommended to have most strict permissions on the toplevel[^5] and grant write permissions on job level[^6] on a case by casebasis.[^1]:https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions[^2]:https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token[^3]:https://securitylab.github.com/research/github-actions-preventing-pwn-requests/[^4]:https://securitylab.github.com/research/github-actions-untrusted-input/[^5]:https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions[^6]:https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobsClosesgh-51191 parent5266f23 commitc909d6b
2 files changed
+10
-0
lines changedLines changed: 7 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
9 | 12 | | |
10 | 13 | | |
11 | 14 | | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
12 | 19 | | |
13 | 20 | | |
14 | 21 | | |
| |||
Lines changed: 3 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
5 | 8 | | |
6 | 9 | | |
7 | 10 | | |
| |||
0 commit comments
Comments
(0)