ci: add minimum GitHub token permissions for workflows#1792
Conversation
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
|
|
github-actions
bot
added
the
area/github
|
|
||
| golangci-lint: | ||
| permissions: | ||
| contents: read # for actions/checkout to fetch code |
There was a problem hiding this comment.
This seems a little redundant to set the per-job permissions the same as the overall setting above. Are these changes generated from the security tool? If so, I suppose no harm in being a little more verbose.
There was a problem hiding this comment.
Hi @stmcginnis, are you asking why contents: read is repeated at workflow level and job level?
The golangci-lint job needs two permissions. If contents: read is not specified at the job level, it will not be granted to the job. GitHub permission model works in a way that if no permissions are specified, the top level ones will apply. But if they are specified at the job level, then the specific ones will apply. So if only pull-requests: read is specified at job level, only that will be granted.
Since this is a public repo, that should also work. The tool that generates these fixes does not distinguish between a public or a private repo...so it ends up being a bit verbose for public repos...
jpmcb
left a comment
jpmcb
left a comment
There was a problem hiding this comment.
Wow thanks for helping with this! 👏🏼
jpmcb
added
the
lgtm
5 participants
Description
This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.
GitHub Actions workflows have a GITHUB_TOKEN with
writeaccess to multiple scopes.Here is an example of the permissions in one of the workflows:
https://github.com/spf13/cobra/runs/8125223301?check_suite_focus=true#step:1:19
After this change, the scopes will be reduced to the minimum needed for each workflow.
Motivation and Context
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
Signed-off-by: Varun Sharma varunsh@stepsecurity.io