Set permissions for GitHub actions #3183
Conversation
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: neilnaveen <[email protected]>
There was a problem hiding this comment.
@neilnaveen I'm not an expert on this, despite trying to read to documentation links you've provided.
could you explain
- why you've changed only these workflows, and not the remaining ones (like release)?
- what will happen if write permissions are removed in each case?
cc @tgodzik
Not sure if this is needed, since we do need to approve any workflow which runs from new contributors. And besides couldn't the attacker just remove the permission setting? CI workflow runs the changed yaml configuration. |
then the workflow wouldn't be able to write, and it would fail.
|
It may be a contributor who has done more than one PR, and the subsequent PRs could be the attack vector .
Even if the attacker attempts that, the PR reviewer would catch the change in the PR review. |
Wouldn't it be the same with any other change? So they can catch it if there is something funky going on? I am ok with the change, but I don't think it will improve the security that much. If someone is able to run the code actions they can run whatever they want there together with other changes. |
|
@neilnaveen i am trying to understand several things:
|
|
After doing similar changes in one of my projects (actually a company project after it got reviewed by our security department) I will just throw in my 2 cents
So assuming everything runs as its designed to do and there are no breaches, the changes will not improve security much however that is kind of besides the point, i.e. you should have measures incase there is some sought of breach. In such a case these changes can help, i.e. if you set a
So the default permissions are actually much more open then what this PR does. By default you have both write and read permissions, and so if you just restrict it to read via
I don't think sufficiency should be a concern here, if its not enough you can always improve it in a later PR. In terms of breaking, if something does break then its going to be due to the permissions being too strict and its fairly easy to diagnose i.e. you would get an error saying "Insufficient permissions to write to file" or something along those lines.
Permission changes are granular, i.e. they apply per workflow or even per job. If you put the In my opinion these changes are quite safe, you can go further but as said previously this can be improved upon in further PR's. |
|
I think this should be ok to merge then, what do you think @kitbellew ? |
I was just looking at it. Let's do it. If it breaks, we'll ask @mdedetrich for help :) |
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
Signed-off-by: neilnaveen [email protected]