Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GITHUB_TOKEN permissions used by this action #58

Closed
step-security-bot opened this issue Apr 28, 2022 · 0 comments
Closed

GITHUB_TOKEN permissions used by this action #58

step-security-bot opened this issue Apr 28, 2022 · 0 comments

Comments

@step-security-bot
Copy link

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'PR Labeler'
github-token:
  environment-variable-name: GITHUB_TOKEN
  is-default: false
  permissions:
    pull-requests: write
    pull-requests-reason: to add labels in PR #Checkout: https://github.com/TimonVS/pr-labeler-action/blob/b30ed4c31985a393b2d25a62feb0e7c75d628883/src/action.ts#L31
    
#Fixes #632

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

danyeaw added a commit to gaphor/gaphor that referenced this issue May 3, 2022
danyeaw added a commit to danyeaw/pr-labeler-action that referenced this issue May 3, 2022
@TimonVS TimonVS closed this as completed Nov 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants