Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add minimal permissions to workflows bump.yml and release.yml #245

Merged

Conversation

diogoteles08
Copy link
Contributor

Hi! I'm Diogo and I work on the same team that Joyce, who created the issues #217, #221 and #227.

I'm creating this PR with changes following the exact same idea proposed on the issue #217, but applying the idea on the workflows that were created after that. As Joyce explained, setting minimal permissions prevents any sort of exploitation in case some of those actions get malicious changes.

As I understand it's tough be always aligned with all those tricky security details, I'll take the liberty to suggest some tips that may help to keep them up.

  1. For the specific point of Workflow Permissions, I'll recommend you to change (if you haven't already) the repository configuration to set the default permissions to read-only. In this case, if you create any new workflow and forget to explicitly declare the permissions, it would run with read-only permissions and any action that requires write-permissions would fail.

  2. I'd also recommend that you consider using the OpenSSF Scorecard Action. Scorecard uses GitHub's public API to gather public informations about your project and runs a sort of "meta-analysis" of the project's security posture. The Action then populates the project's Security Panel with possible improvements to its security posture. It's specially helpful to ensure you won't regress on the security measures you have already adopted. Additionally, the tool integrates with the OSV Scanner, which evaluates project's transitive dependencies looking for known vulnerabilities. Let me know if you have interest and I'll be happy to send a PR adding it.

Cheers,

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
@alex alex merged commit 7f0e639 into certifi:master Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants