-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🏗ci: Add GitHub token permissions for workflows #38019
Conversation
I am not sure why the unit test is failing. It is unrelated to the change made in this PR. |
Update based on feedback from failed check related to formatting
2177b6d
to
b5fa366
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes our tests just flake, despite our best efforts 🤷♂️
I'll restart the tests and hopefully this will fix it
This looks great to me, but I would like to have @estherkim and @alanorozco take a look at this as well since they know some of these workflows better than me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @varunsh-coder and @danielrozenberg! lgtm
Let's give Alan a change to take a look, otherwise I'll merge this tomorrow |
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue.
This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.
This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.