Set minimal workflow token permissions (#2773)

pnacht · rtobar · web-flow · commit d88bff3d3d82 · 2023-12-12T08:25:17.000+08:00
Fixes #2772. This PR sets top-level read-only permissions on all CI/CD workflows. Jobs that require additional permissions (`stale.yml` and `pr-comment.yml`) are given them at the job-level. I made more significant changes in `pr-comment.yml`. It is vulnerable to code injection, since it runs files controlled by the PR author (`requirements.txt` and `scripts/list_missing_entries.py`, taken from the PR). I have therefore modified the workflow to checkout those files from the base branch instead, ensuring we're running trusted versions of those files. And in order to minimize the code that has access to the `issues/pull-requests: write` permissions, I have separated the workflow into two sequential jobs: 1. `define-comment`, which is unprivileged and does almost everything 2. `write-comment`, which has those additional permissions and uses them to perform the very last step of actually writing the comment on the PR. --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Co-authored-by: rtobar <rtobarc@gmail.com>
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
       - 3.*
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
@@ -3,10 +3,16 @@ name: Agrega comentario a PR
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
-  pr-comment:
+  define-comment:
     name: Entradas sin traducción
     runs-on: ubuntu-22.04
+    outputs:
+      any_changed: ${{ steps.changed-files.outputs.any_changed }}
+      comment: ${{ steps.create-pr-comment.outputs.comment }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -17,9 +23,18 @@ jobs:
         with:
           python-version: "3.11"
           cache: "pip"
+      # checkout these files from the base branch to guarantee they haven't been
+      # modified by the PR
+      - uses: actions/checkout@v4
+        with:
+          path: base-branch
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            requirements.txt
+            scripts/list_missing_entries.py
       - name: Instalar dependencias
         run: |
-          python -m pip install -r requirements.txt
+          python -m pip install -r base-branch/requirements.txt
       - name: Obtiene lista de archivos con cambios
         id: changed-files
         uses: tj-actions/changed-files@v40
@@ -34,12 +49,20 @@ jobs:
         run: |
           {
             echo 'comment<<EOF'
-            python scripts/list_missing_entries.py --github $CHANGED_PO_FILES
+            python base-branch/scripts/list_missing_entries.py --github $CHANGED_PO_FILES
             echo EOF
           } >> "$GITHUB_OUTPUT"
+
+  write-comment:
+    runs-on: ubuntu-22.04
+    needs: [define-comment]
+    if: needs.define-comment.outputs.any_changed == 'true'
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
       - name: Agregar comentario con entradas faltantes
-        if: steps.changed-files.outputs.any_changed == 'true'
         uses: thollander/actions-comment-pull-request@v2
         with:
-          message: ${{ steps.create-pr-comment.outputs.comment }}
+          message: ${{ needs.define-comment.outputs.comment }}
           comment_tag: missing-entries
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -3,9 +3,15 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v8
         with:
