Skip to content

chore: tighten GitHub workflow permissions #15282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 30, 2024
Merged

chore: tighten GitHub workflow permissions #15282

merged 1 commit into from
Oct 30, 2024

Conversation

matifali
Copy link
Member

@matifali matifali commented Oct 30, 2024
edited
Loading

Make sure the project's workflows follow the principle of least privilege.

Contributes to coder/internal#89

Addresses the following observations:

{
      "name": "Token-Permissions",
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "details": [
        "Warn: jobLevel 'actions' permission set to 'write': .github/workflows/stale.yaml:13",
        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/ci.yaml:17",
        "Warn: no topLevel permission defined: .github/workflows/contrib.yaml:1",
        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/docker-base.yaml:26",
        "Warn: no topLevel permission defined: .github/workflows/nightly-gauntlet.yaml:1",
        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/pr-cleanup.yaml:12",
        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/pr-deploy.yaml:33",
        "Warn: no topLevel permission defined: .github/workflows/release-validation.yaml:1",
        "Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yaml:22",
        "Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yaml:24",
        "Warn: no topLevel permission defined: .github/workflows/stale.yaml:1",
      ],
      "documentation": {
        "short": "Determines if the project's workflows follow the principle of least privilege.",
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"
      }
    },

@matifali
chore: tighten GitHub workflow permissions
ee25db4 
Align permissions with OpenSSF scorecard recommendations to enhance
security. Move permissions to specific jobs to grant only what's
necessary.
@matifali matifali closed this Oct 30, 2024
@matifali matifali reopened this Oct 30, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Oct 30, 2024
@matifali
Copy link
Member Author

@coadler @mafredri I am a bit hesitant to merge this now as it also affects release.yaml.
But we need to test it in some way.

All the changes are very straightforward and should not change any behavior.

cc: @stirby for release.yaml

@ethanndickson
Copy link
Member

FWIW, the main release job in release.yaml has the least opportunity for error - the permissions haven't been split up in any way.

@matifali
Copy link
Member Author

Thank you @ethanndickson that's what I think. I ma merging it then :)

@matifali matifali merged commit afacb07 into main Oct 30, 2024
56 checks passed
@matifali matifali deleted the atif/optimize-gh-workflow-permissions branch October 30, 2024 11:17
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ethanndickson ethanndickson ethanndickson approved these changes

@coadler coadler Awaiting requested review from coadler

Assignees

@matifali matifali

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matifali @ethanndickson