Set up permissions for Github workflows #217
Comments
|
Sure, we'd be happy for a PR
…On Thu, Feb 23, 2023, 1:52 PM Joyce ***@***.***> wrote:
Hi, I'm from Google working on behalf of the OpenSSF to help open source
projects to improve their supply chain security.
I would like to suggest setting the permissions to the github workflows as
read only on the top level
<https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions>
and any write permission be given at the run level
<https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions>
.
This is necessary due to a behavior of github workflow to grant to
GITHUB_TOKEN write permissions to all types of permissions, regardless of
they being used or not. In case of the workflow getting compromised, an
attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard
<https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions>
and the Github
<https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions>
to always use credentials that are minimally scoped.
If that's ok for you let me know and I'll submit a PR with the changes.
The changes are quite simple so if you'd like I can open the PR and we can
discuss on it.
—
Reply to this email directly, view it on GitHub
<#217>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBFMJTO7OZX5LK6KRYDWY6WVXANCNFSM6AAAAAAVGAAWE4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
@joycebrum thank you ! :) I reported that to OpenSSF Alpha Omega in December. |
|
Closed by #218 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
and others
Hi, I'm from Google working on behalf of the OpenSSF to help open source projects to improve their supply chain security.
I would like to suggest setting the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
If that's ok for you let me know and I'll submit a PR with the changes. The changes are quite simple so if you'd like I can open the PR and we can discuss on it.
The text was updated successfully, but these errors were encountered: