Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update README to accept fine-grained tokens #1175

Merged
merged 5 commits into from Jun 22, 2023
Merged

Update README to accept fine-grained tokens #1175

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c0b8998
Update README for fine-grained tokens
pnacht Jun 13, 2023
9a5eb36
Add info on classic PATs and risks of Administration
pnacht Jun 14, 2023
e84cbc5
Remove comment on deploy keys
pnacht Jun 14, 2023
e143085
Permissions only used for branch protection and webhooks
pnacht Jun 15, 2023
ec6db9c
Merge branch 'main' into finegrained_tokens
spencerschrock Jun 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
60 changes: 18 additions & 42 deletions README.md
View file
Open in desktop
Expand Up @@ -14,8 +14,6 @@ OIDC token which verifies the authenticity of the result when publishing it. See

If publishing results, scorecard-action:v2 also imposes new requirements on both the workflow and the job running the `ossf/scorecard-action` step. For full details see [here](#workflow-restrictions).
________
[Personal Access Token (PAT) Requirements and Risks](#personal-access-token-pat-requirements-and-risks)

[Installation](#installation)
- [Workflow Setup](#workflow-setup-required)
- [Authentication](#authentication-with-pat-optional)
Expand Down Expand Up @@ -43,27 +41,6 @@ Running the Scorecard action on a fork repository is not supported.

GitHub Enterprise repositories are not supported.

## Personal Access Token (PAT) Requirements and Risks
spencerschrock marked this conversation as resolved.
Show resolved Hide resolved

Certain features require a Personal Access Token (PAT).

- Public repositories need a PAT to enable the
[Branch-Protection](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)
check. Without a PAT, Scorecards will run all checks except the
Branch-Protection check
- Private repositories need a PAT to use any Scorecard Action functions

Using a PAT introduces risks, however. Due to a limitation of the GitHub
permission model, the PAT needs
[write permission to the repository](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes)
through the `repo` scope. **The PAT will be stored as a
[GitHub encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
and be accessible by all the workflows and maintainers of a repository.**
This means another maintainer on your project could potentially use the token to impersonate you. If there is an exploitable bug in a workflow with write permissions, an external contributor could potentially exploit it to extract the PAT.

We recommend that you **do not use a PAT** unless you feel that the
risks introduced are outweighed by the functionalities they support.

## Installation

### Workflow Setup (Required)
Expand All @@ -87,18 +64,18 @@ risks introduced are outweighed by the functionalities they support.

![image](/images/install05.png)

### Authentication with PAT (optional)
Create a Personal Access Token (PAT) for authentication and save the token value as a repository secret. Review [Personal Access Token (PAT) Requirements and Risks](#personal-access-token-pat-requirements-and-risks) before using a PAT.

1. [Create a Personal Access Token](https://github.com/settings/tokens/new?scopes=public_repo,read:org,read:repo_hook,read:discussion) with the following read permissions:
- Note: `Token for OSSF Scorecard Action - myorg/myrepo` (Note: replace `myorg/myrepo` with the names of your organization and repository so you can keep track of your tokens.)
- Expiration: `No expiration`
- Scopes:
* `repo > public_repo` Required to read [Branch-Protection](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) settings. **Note**: for private repositories, you need scope `repo`.
* `admin:org > read:org` Optional: not used in current implementation.
* `admin:repo_hook > read:repo_hook` Optional: needed for the experimental [Webhook](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) check.
* `write:discussion > read:discussion` Optional: not used in current implementation.

### Authentication with Fine-grained Personal Access Token (optional)
Create a fine-grained Personal Access Token (PAT) for authentication and save the token value as a repository secret.

1. [Create a fine-grained Personal Access Token](https://github.com/settings/personal-access-tokens/new) with the following settings:
- Token name: `OpenSSF Scorecard Action - $USER_NAME/$REPO_NAME>` (Note: replace `$USER_NAME/$REPO_NAME` with the names of your organization and repository so you can keep track of your tokens.)
- Expiration: Set `Custom` and then set the date to exactly a year in the future (the maximum allowed)
spencerschrock marked this conversation as resolved.
Show resolved Hide resolved
- Repository Access: `Only select repositories` and select the desired repository. Alternatively, set `All repositories` if you wish to use the same token for all your repositories.
- Repository Permissions:
* `Administration: Read-only`: Required to read [Branch-Protection](https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection) settings.
spencerschrock marked this conversation as resolved.
Show resolved Hide resolved
* `Metadata: Read-only` will be automatically set when you set `Administration`
* `Webhooks: Read-only`: (Optional) needed for the experimental [Webhook](https://github.com/ossf/scorecard/blob/main/docs/checks.md#webhooks) check.
![image](/images/tokenscopes.png)

2. Copy the token value.
Expand All @@ -107,7 +84,9 @@ Create a Personal Access Token (PAT) for authentication and save the token value
- Name: `SCORECARD_TOKEN`
- Value: the value of the token created in step 1 above.

4. (Optional) If you install Scorecard on a repository owned by an organization that uses [SAML SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on), be sure to [enable SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) for your PAT token.
Note that fine-grained tokens expire after one year. You'll receive an email from GitHub when your token is about to expire, at which point you must regenerate it. Make sure to update the token string in your repository's secrets.

4. When you call the `ossf/scorecard-action` in your workflow, pass the token as `repo-token: ${{ secrets.SCORECARD_TOKEN }}`.

## View Results

Expand Down Expand Up @@ -142,11 +121,9 @@ To verify that the Action is running successfully, click the repository's Action
![image](/images/actionconfirm.png)

### Troubleshooting
If the run has failed, the most likely reason is an authentication failure. If you are running Scorecards on a private repository, confirm that the Personal Access Token is saved as an encrypted secret within the same repository (see [Authentication](#authentication)). In addition, provide the `repo` scope to your PAT. (The `repo > public_repo` scope only provides access to public repositories).

If you install Scorecards on a repository owned by an organization that uses [SAML SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on) or if you see `403 Resource protected by organization SAML enforcement` in the logs, be sure to [enable SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) for your PAT token (see [Authentication](#authentication)).
If the run has failed, the most likely reason is an authentication failure. Confirm that the Personal Access Token is saved as an encrypted secret within the same repository (see [Authentication](#authentication)). Also confirm that the PAT is still valid and hasn't expired or been revoked.

If you use a PAT saved as an encrypted secret and the run is still failing, confirm that you have not made any changes to the workflow yaml file that affected the syntax. Review the [workflow example](#workflow-example) and reset to the default values if necessary.
If you have a valid PAT saved as an encrypted secret and the run is still failing, confirm that you have not made any changes to the workflow yaml file that affected the syntax. Review the [workflow example](#workflow-example) and reset to the default values if necessary.

## Manual Action Setup

Expand Down Expand Up @@ -237,9 +214,8 @@ jobs:
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
spencerschrock marked this conversation as resolved.
Show resolved Hide resolved
# repo_token: ${{ secrets.SCORECARD_TOKEN }}

Expand Down
Binary file modified images/tokenscopes.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.