ci: add minimal permissions to workflows bump.yml and release.yml #245
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi! I'm Diogo and I work on the same team that Joyce, who created the issues #217, #221 and #227.
I'm creating this PR with changes following the exact same idea proposed on the issue #217, but applying the idea on the workflows that were created after that. As Joyce explained, setting minimal permissions prevents any sort of exploitation in case some of those actions get malicious changes.
As I understand it's tough be always aligned with all those tricky security details, I'll take the liberty to suggest some tips that may help to keep them up.
For the specific point of Workflow Permissions, I'll recommend you to change (if you haven't already) the repository configuration to set the default permissions to read-only. In this case, if you create any new workflow and forget to explicitly declare the permissions, it would run with read-only permissions and any action that requires write-permissions would fail.
I'd also recommend that you consider using the OpenSSF Scorecard Action. Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The Action then populates the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted. Additionally, the tool integrates with the OSV Scanner, which evaluates project's transitive dependencies looking for known vulnerabilities. Let me know if you have interest and I'll be happy to send a PR adding it.
Cheers,