From: sashashura <aleksandrosansan@xxxxxxxxx>
Currently the workflow runs with the following permissions:
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
Signed-off-by: sashashura <aleksandrosansan@xxxxxxxxx>
---
ci: restrict workflow's github token permissions
This PR adds explicit permissions section
[https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions]
to workflows. This is a security best practice because by default
workflows run with extended set of permissions
[https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token]
(except from on: pull_request from external forks
[https://securitylab.github.com/research/github-actions-preventing-pwn-requests/]).
By specifying any permission explicitly all others are set to none. By
using the principle of least privilege the damage a compromised workflow
can do (because of an injection
[https://securitylab.github.com/research/github-actions-untrusted-input/]
or compromised third party tool or action) is restricted. It is
recommended to have most strict permissions on the top level
[https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions]
and grant write permissions on job level
[https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs]
case by case.
check-whitespace.yml is triggered by pull_request only and receives
restricted token already. l10n.yml has permissions on job level already.
So I didn't make any changes to them. In both cases it is possible to
add explicit global lever permissions just for consistency if you
prefer. Let me know.
Currently
[https://github.com/git/git/actions/runs/3100948073/jobs/5021781329] the
workflow runs with the following permissions: GITHUB_TOKEN Permissions
Actions: write Checks: write Contents: write Deployments: write
Discussions: write Issues: write Metadata: read Packages: write Pages:
write PullRequests: write RepositoryProjects: write SecurityEvents:
write Statuses: write
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-1337%2Fsashashura%2Fpatch-2-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-1337/sashashura/patch-2-v1
Pull-Request: https://github.com/git/git/pull/1337
.github/workflows/main.yml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 831f4df56c5..3ce9302c589 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,8 +5,14 @@ on: [push, pull_request]
env:
DEVELOPER: 1
+permissions:
+ contents: read
+
jobs:
ci-config:
+ permissions:
+ contents: read
+ actions: read # for github.actions.getWorkflowRun
name: config
runs-on: ubuntu-latest
outputs:
base-commit: dda7228a83e2e9ff584bf6adbf55910565b41e14
--
gitgitgadget
