chore: Set permissions for GitHub actions #11226
Conversation
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <[email protected]>
uranusjr
added
the
skip news
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Is this necessary -- this is only on pull_request, which does not get a token with write anyway?
I might have a gap in understanding here, so I'd appreciate context on why this exists.
There was a problem hiding this comment.
I agree it doesn’t get write token. It is best practice to set permissions.
That was my reasoning.
Thanks
|
As far as I understand, this would be mostly redundant as by default I suppose we could further restrict permissions by only granting read access to specific scopes. |
There was a problem hiding this comment.
I'm going to add the awaiting merge label to this PR as it would improve GHA security in depth. This isn't necessary, but it's unlikely to hurt either.
I'm not against rejecting this PR though.
(To fellow maintainers, the awaiting merge label is brand new! It was created by Pradyun so I'd have a way to properly flag PRs that seem ready for merge, but don't belong in a release milestone.)
|
Ah, this branch is so old that the RTD build is failing. As long as the GHA CI passes, we can ignore that failure. |
|
FWIW, we are protected against the kind of attack this claims to protect us from via the repo's settings. 
|
|
Deja vu: #12564 (comment) |
ichard26
added
the
resolution: no action
|
I'm going to close this PR then. Also AFAIK, we also restrict the actions this repository workflows can use so we should be okay security-wise for now. |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: naveen [email protected]