Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set permissions definitions in each global workflow in .github repo #31

Open
yada opened this issue Nov 7, 2024 · 2 comments
Open

Set permissions definitions in each global workflow in .github repo #31

yada opened this issue Nov 7, 2024 · 2 comments
Assignees
@yada

Comments

@yada
Copy link
Member

yada commented Nov 7, 2024

Reason/Context

Restricting GitHub Actions permissions to the minimum necessary improves the security of our workflows by limiting access to only what's required. Adopting this structure, read-only permissions at the top level, with specific write permissions declared only at the run level, helps prevent unintended modifications and aligns with GitHub security best practices.

This is an OpenSSF Scorecard check, which is important for our CLOMonitor score. See:
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://clomonitor.io/docs/topics/checks/#token-permissions-from-openssf-scorecard

Description

Update each GitHub Actions workflow YAML file in the repository to set permissions as read-only by default at the top level. For actions requiring write permissions, define these explicitly at the step level. This approach ensures each workflow only has the necessary access permissions and minimizes security risks.to read-only by default at the top level. For actions requiring write permissions, define these explicitly at the step level. This approach ensures that each workflow has only

Implementation ideas

  • Audit Existing Workflows: Review each workflow YAML file to identify any permissions currently set at the top level.
  • Set Default Permissions: Update each workflow file to set permissions: read all at the top level to establish a read-only default.
  • Specify Run-Level Permissions: Add only the necessary permissions at the run level for steps requiring write access (e.g., to commit changes or interact with GitHub resources).
  • Testing: Test each updated workflow to confirm it still operates correctly with the reduced permissions and no access issues arise during execution.
  • Documentation: Add comments in each workflow YAML file explaining the permission setup to help future maintainers understand the structure.

Ex:

.../...
name: Welcome New Users with Thanks and Tip non-stargazers ;-)
on:
  pull_request_target:
    types: [opened, closed]
  issues:
    types: [opened]
permissions:
  contents: read
jobs:
  run:
    permissions:
      issues: write  # for wow-actions/welcome to comment on issues
      pull-requests: write  # wow-actions/welcome to comment on PRs
.../...

This change aims to enhance security while ensuring workflows function as expected.
@yada yada self-assigned this Nov 7, 2024
This was referenced Nov 7, 2024
Merged
Merged
@yada
Copy link
Member Author

yada commented Nov 7, 2024
edited
Loading

  • .github/workflows/stale-issues-prs.yml 👉 is Already good.
  • .github/workflows/global-replicator.yml
  • .github/workflows/welcome-new-users.yml

yada added a commit that referenced this issue Nov 7, 2024
@yada
Update welcome-new-users.yml set permissions
1138dad 
Set permissions as described in issue #31 

Signed-off-by: Yacine Kheddache <yacine@microcks.io>
@yada
Copy link
Member Author

yada commented Nov 7, 2024

welcome-new-users.yml updated and replicated using our global replicator workflow ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yada yada

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yada