New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set up permissions for Github workflows #217
Comments
Sure, we'd be happy for a PR
…On Thu, Feb 23, 2023, 1:52 PM Joyce ***@***.***> wrote:
Hi, I'm from Google working on behalf of the OpenSSF to help open source
projects to improve their supply chain security.
I would like to suggest setting the permissions to the github workflows as
read only on the top level
<https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions>
and any write permission be given at the run level
<https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions>
.
This is necessary due to a behavior of github workflow to grant to
GITHUB_TOKEN write permissions to all types of permissions, regardless of
they being used or not. In case of the workflow getting compromised, an
attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard
<https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions>
and the Github
<https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions>
to always use credentials that are minimally scoped.
If that's ok for you let me know and I'll submit a PR with the changes.
The changes are quite simple so if you'd like I can open the PR and we can
discuss on it.
—
Reply to this email directly, view it on GitHub
<#217>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBFMJTO7OZX5LK6KRYDWY6WVXANCNFSM6AAAAAAVGAAWE4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@joycebrum thank you ! :) I reported that to OpenSSF Alpha Omega in December. |
Closed by #218 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, I'm from Google working on behalf of the OpenSSF to help open source projects to improve their supply chain security.
I would like to suggest setting the permissions to the github workflows as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
Thus, it is both a recommendation from OpenSSF Scorecard and the Github to always use credentials that are minimally scoped.
If that's ok for you let me know and I'll submit a PR with the changes. The changes are quite simple so if you'd like I can open the PR and we can discuss on it.
The text was updated successfully, but these errors were encountered: