Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Declare permissions #15493

Merged
merged 2 commits into from
Feb 15, 2024
Merged

Declare permissions #15493

merged 2 commits into from
Feb 15, 2024

Conversation

jsoref
Copy link
Contributor

@jsoref jsoref commented Jan 31, 2024

Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably.

closes #15462

@jsoref jsoref requested review from a team as code owners January 31, 2024 14:00
@jsoref
Copy link
Contributor Author

jsoref commented Jan 31, 2024

To make the Check change note workflow happy, please add label:no-change-note-required

angelapwen
angelapwen previously approved these changes Jan 31, 2024
View reviewed changes
Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at your fork of the repo, which has identical permissions and works 👍 thank you for the contribution!

csharp/actions/create-extractor-pack/action.yml Outdated Show resolved Hide resolved
@angelapwen angelapwen added the no-change-note-required This PR does not need a change note label Jan 31, 2024
@github-actions github-actions bot removed the C# label Jan 31, 2024
angelapwen
angelapwen requested changes Feb 1, 2024
View reviewed changes
Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking merge until the other comments are addressed 😄

aeisenberg
aeisenberg requested changes Feb 6, 2024
View reviewed changes
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing this. I like that this narrows the permissions of all of our tokens.

I think .github/workflows/csv-coverage-update.yml is broken. I have a few other suggestions that will allow you to narrow the permissions. security-events is only required if we are reading or writing SARIF to or from code scanning.

I do have a concern that these jobs haven't been run. Are you able to trigger them in your fork to make sure all permissions are correct?

What we do in other repos and can do here (but best to wait for a followup PR) is to add a chunk that ensures the workflow file is run whenever the workflow file itself is modified.

eg-

  pull_request:
    paths:
      - '.github/workflows/csv-coverage-timeseries.yml'

(and similar for all other workflow files)

.github/workflows/csv-coverage-update.yml Outdated Show resolved Hide resolved
.github/workflows/ql-for-ql-tests.yml Outdated Show resolved Hide resolved
.github/workflows/query-list.yml Outdated Show resolved Hide resolved
.github/workflows/ruby-dataset-measure.yml Outdated Show resolved Hide resolved
.github/workflows/ruby-qltest.yml Outdated Show resolved Hide resolved
.github/workflows/swift.yml Outdated Show resolved Hide resolved
.github/workflows/validate-change-notes.yml Outdated Show resolved Hide resolved
@jsoref
Copy link
Contributor Author

jsoref commented Feb 7, 2024

@aeisenberg: the design of these workflows is really painful.

jsoref
jsoref commented Feb 12, 2024
View reviewed changes
.github/workflows/ql-for-ql-build.yml
Comment on lines -22 to +27
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aeisenberg says:

All of it really should be using @main since we want to test on the latest in case we break something.

aeisenberg
aeisenberg reviewed Feb 13, 2024
View reviewed changes
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review. I'm finding it hard to verify that this PR is correct.

.github/workflows/csharp-qltest.yml Outdated Show resolved Hide resolved
.github/workflows/csharp-qltest.yml Outdated Show resolved Hide resolved
aeisenberg
aeisenberg previously approved these changes Feb 13, 2024
View reviewed changes
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good to me, but since this change affects lots of files, I'd like someone else to approve as well.

angelapwen
angelapwen reviewed Feb 14, 2024
View reviewed changes
Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions in comments. Also, I still see a bunch of security-events: read permissions here: are those necessary? I see that they were able to be dropped from a few workflows because of the changes you'd made in the Action 😄

.github/workflows/csharp-qltest.yml Outdated Show resolved Hide resolved
.github/workflows/fast-forward.yml Show resolved Hide resolved
@jsoref
use github/codeql-action...@main
e468f40
@jsoref
Declare permissions
b58c856 
Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.
@angelapwen
Copy link
Contributor

Thank you for your patience and of course contributions @jsoref!! Merging now 💕

@angelapwen angelapwen merged commit 0643184 into github:main Feb 15, 2024
54 checks passed
@jsoref jsoref deleted the declare-permissions branch February 15, 2024 10:59
@angelapwen angelapwen mentioned this pull request Feb 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeisenberg aeisenberg aeisenberg approved these changes

@angelapwen angelapwen angelapwen approved these changes

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note QL-for-QL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Workflows are missing permissions requests
3 participants
@jsoref @angelapwen @aeisenberg