Add specific permissions to workflows under .github/workflows #2584
Conversation
|
I'm confused. Is this a config option that Github Actions itself supports, or is this just metadata for your arbitrary third-party tool? |
|
Separately, because you've unfortunately made a PR from a fork you don't own, I won't be able to land this PR unless you add me to https://github.com/step-security/nvm (please don't create a different PR) |
GitHub Actions itself supports it: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ My tool sets the proper values for it based on the workflow. |
I did not get you. I do own https://github.com/step-security/nvm. The fork is in an organization that I own. Let me know what needs to be done to address this... |
|
Right, but github has a bug where if you don't make a PR from your username's fork - not an organization's fork - then the maintainer won't be able to force push to your PR branch. If you can add me to your organization's fork with "write" permissions until this PR is landed, I'll be able to rebase it as needed and merge it. |
Sent you an invite to get access. Thanks! |
This PR adds specific permissions to the existing workflows under .github/workflows.
Background
I have implemented a GitHub App to automatically restrict permissions for the GITHUB_TOKEN in workflows. This is a security best practice as per the GitHub Actions hardening guide.
I am trying the App out on public repositories, by forking them, installing the App on the fork, and manually creating PRs with the fixed workflows. The App automatically fixes permissions when a PR is created that creates a new workflow, so feel free to install it for future workflows, or try it out on other repos.
I have manually reviewed the changes, and they do look good to me. If something looks off, please let me know. If you have feedback, would love to hear it. Thanks!