ci: add minimum GitHub token permissions for workflows #7469

ashishkurmi · 2022-09-09T07:59:22Z

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

GitHub Actions workflows have a GITHUB_TOKEN with write access to multiple scopes.
Here is an example of the permissions in one of the workflows:
https://github.com/ReactiveX/RxJava/runs/8243359652?check_suite_focus=true#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflows:

The following workflow files already have the least privileged token permission set:

This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
GitHub recommends defining minimum GITHUB_TOKEN permissions.
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>

akarnokd · 2022-09-09T08:29:17Z

It doesn't work. We need to write back to the repo.

ci: add minimum GitHub token permissions for workflows

72e24ec

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>

ashishkurmi mentioned this pull request Sep 9, 2022

Fix token permissions for 100 critical open-source projects step-security/secure-repo#462

Open

akarnokd closed this Sep 9, 2022

joycebrum mentioned this pull request Mar 14, 2023

Add minimum GitHub token permissions for workflows #7540

Closed

Provide feedback