From 7541995ab67f7ff976e37d0b75704406aa988373 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Sat, 13 Jul 2024 11:04:40 -0700 Subject: [PATCH] fix: Address comments from Tim Head's review * Format things that are supposed to be variables that are project dependent like Shell variables (preceeded with a '$'). * Be more explicit with the actions permissions. * Add information on using RELEASING.md for making a release. --- spec-0008/index.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/spec-0008/index.md b/spec-0008/index.md index 23b57b3b..c429a84e 100644 --- a/spec-0008/index.md +++ b/spec-0008/index.md @@ -41,6 +41,7 @@ With a focus on securing the release artifact distribution process, the followin ### Document the release process The release process should be clearly and fully documented in the developer documentation and describe each step to make a release and the permissions required to do so. +It is recommended that this is a dedicated page in the developer section of the documentation website, though providing instructions in a `RELEASING.md` in the top level of the repository is also a common approach. ### Hardening workflow environment permissions @@ -63,15 +64,15 @@ Elevating permissions beyond this should be done at the job level by redefining #### Restrict permitted actions in workflows -GitHub allows to restrict the actions that workflows can use via repositories settings at `https://github.com/ORG/PROJECT/settings/actions`. -A reasonable default setup is to: +GitHub allows restricting the actions that workflows can use via the repository actions permissions settings at `https://github.com/$ORG/$PROJECT/settings/actions`. +A reasonable default is to select -- allow actions from the repository itself and actions created by GitHub, -- as well as an allow list of actions from third party repositories. +> Allow $ORG, and select non-$ORG, actions and reusable workflows - ``` - OWNER/REPOSITORY@* - ``` +and the suboptions: + +* Allow actions created by GitHub +* Allow specified actions and reusable workflows Consult [Managing GitHub Actions permissions for your repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository) for more details. @@ -85,7 +86,7 @@ environment: ``` and enforce additional review by at least one other maintainer to run a GitHub Actions workflow that publishes to PyPI. -Additional reviewer requirements can be configured per GitHub Actions environment under `https://github.com/ORG/PROJECT/settings/environments/` in the "Deployment protection rules" section. +Additional reviewer requirements can be configured per GitHub Actions environment under `https://github.com/$ORG/$PROJECT/settings/environments/` in the "Deployment protection rules" section. ![github-actions-environment](https://hackmd.io/_uploads/S1SErQ0EC.png) @@ -120,7 +121,7 @@ updates: A component of SLSA is [software attestation](https://slsa.dev/attestation-model) which allows for public validation of software artifacts and provenance. GitHub provides the [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance) GitHub Action which implements SLSA to generate signed build provenance attestations for workflow artifacts. -Attestations are published to the project GitHub under `https://github.com/ORG/PROJECT/attestations/`. +Attestations are published to the project GitHub under `https://github.com/$ORG/$PROJECT/attestations/`. ```yaml - uses: actions/attest-build-provenance@ # vX.Y.Z