Skip to content

chore: GitHub Workflows security hardening #5672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 2, 2022
Merged

chore: GitHub Workflows security hardening #5672

merged 2 commits into from
Oct 2, 2022

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden GitHub Workflow permissions
ca0207a 
Signed-off-by: Alex Low <aleksandrosansan@gmail.com>
@sashashura
build: harden GitHub Workflow permissions
9d17dbf 
Signed-off-by: Alex Low <aleksandrosansan@gmail.com>
@nx-cloud
Copy link

nx-cloud bot commented Sep 19, 2022
edited
Loading

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 9d17dbf. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this branch

✅ Successfully ran 47 targets

Sent with 💌 from NxCloud.

@typescript-eslint
Copy link
Contributor

Thanks for the PR, @sashashura!

typescript-eslint is a 100% community driven project, and we are incredibly grateful that you are contributing to that community.

The core maintainers work on this in their personal time, so please understand that it may not be possible for them to review your work immediately.

Thanks again!

🙏 Please, if you or your company is finding typescript-eslint valuable, help us sustain the project by sponsoring it transparently on https://opencollective.com/typescript-eslint. As a thank you, your profile/company logo will be added to our main README which receives thousands of unique visitors per day.

@netlify
Copy link

netlify bot commented Sep 19, 2022
edited
Loading

Deploy Preview for typescript-eslint ready!

Name Link
🔨 Latest commit 9d17dbf
🔍 Latest deploy log https://app.netlify.com/sites/typescript-eslint/deploys/63289d51aff6e60008fc1250
😎 Deploy Preview https://deploy-preview-5672--typescript-eslint.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@codecov
Copy link

codecov bot commented Sep 19, 2022
edited
Loading

Codecov Report

Merging #5672 (9d17dbf) into main (7888d33) will decrease coverage by 2.81%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5672      +/-   ##
==========================================
- Coverage   93.82%   91.01%   -2.82%     
==========================================
  Files         134      365     +231     
  Lines        1506    11962   +10456     
  Branches      226     3483    +3257     
==========================================
+ Hits         1413    10887    +9474     
- Misses         60      781     +721     
- Partials       33      294     +261
Flag Coverage Δ
unittest 91.01% <ø> (-2.82%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
packages/eslint-plugin/src/rules/quotes.ts 88.88% <0.00%> (ø)
...ckages/eslint-plugin/src/util/getThisExpression.ts 84.61% <0.00%> (ø)
packages/type-utils/src/getSourceFileOfNode.ts 0.00% <0.00%> (ø)
packages/type-utils/src/getTypeName.ts 0.00% <0.00%> (ø)
packages/typescript-estree/src/convert.ts 97.89% <0.00%> (ø)
...s/utils/src/ast-utils/eslint-utils/astUtilities.ts 53.33% <0.00%> (ø)
...ckages/typescript-estree/src/jsx/xhtml-entities.ts 100.00% <0.00%> (ø)
...s/eslint-plugin/src/util/collectUnusedVariables.ts 93.19% <0.00%> (ø)
...utils/src/ast-utils/eslint-utils/PatternMatcher.ts 66.66% <0.00%> (ø)
packages/eslint-plugin/src/rules/no-shadow.ts 75.84% <0.00%> (ø)
... and 221 more

bradzacher
bradzacher approved these changes Oct 2, 2022
View reviewed changes
Copy link
Member

@bradzacher bradzacher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me! thanks for helping harden our security!

@bradzacher bradzacher changed the title GitHub Workflows security hardening chore: GitHub Workflows security hardening Oct 2, 2022
@bradzacher bradzacher merged commit 5adf7bd into typescript-eslint:main Oct 2, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bradzacher bradzacher bradzacher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sashashura @bradzacher