Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Set permissions for GitHub actions #7789

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

nathannaveen
Copy link

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Signed-off-by: nathannaveen [email protected]

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: nathannaveen <[email protected]>
@welcome
Copy link

welcome bot commented Jun 4, 2022

💖 Thanks for opening this pull request! 💖

Things that will help get your PR across the finish line:

  • Run npm run lint -- --errors locally to catch formatting errors earlier.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@misteroneill misteroneill requested review from gkatsev and gesinger June 6, 2022 14:27
@gkatsev
Copy link
Member

gkatsev commented Jun 9, 2022

From my understanding, PRs get a more restricted set of permissions by default. Is there a specific benefit to specifying the permissions then?

Is this protecting from the action that we depend on updating and being malicious?

@nathannaveen
Copy link
Author

From my understanding, PRs get a more restricted set of permissions by default. Is there a specific benefit to specifying the permissions then?

Is this protecting from the action that we depend on updating and being malicious?

Yes.

@misteroneill misteroneill force-pushed the main branch 2 times, most recently from c1898b4 to 4f8227d Compare November 23, 2022 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants