Limit workflow job permissions to bare minimum #3706
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marcofranssen
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
This allows to narrow down workflow permissions in GitHub settings See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token Signed-off-by: Marco Franssen <[email protected]>
marcofranssen
force-pushed
the
workflow-permissions
branch
from
69ae172 to
d4a2a98
Compare
marcofranssen
commented
Dec 20, 2022
|
|
||
| env: | ||
| NIGHTLY: true | ||
|
|
||
| jobs: | ||
| build-and-publish-images: | ||
| runs-on: ubuntu-20.04 | ||
|
|
||
| permissions: |
There was a problem hiding this comment.
Moved to job level, so we don't run the chance new job added in this workflow will also have write access by default.
|
Looks like flaky test. Can someone retrigger this test? |
azdagron
reviewed
Dec 20, 2022
| @@ -1,12 +1,13 @@ | |||
| name: 'Dependency Review' | |||
| on: [pull_request] | |||
|
|
|||
| permissions: | |||
There was a problem hiding this comment.
If we leave this action level permission here, does it apply to any jobs that omit the permissions configuration? If so, it seems safer to leave it in so that any future jobs that neglect to configure permissions will only get read (assuming the org level default is higher).
There was a problem hiding this comment.
contents: read is the default anyhow. You don't even have to define that.
I just like to define it explicitly so it is clear what permissions a job has.
See the link in the pr description.
azdagron
approved these changes
Dec 21, 2022
divaspathak
pushed a commit
to divaspathak/spire
that referenced
this pull request
Dec 24, 2022
This allows to narrow down workflow permissions in GitHub settings See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token Signed-off-by: Marco Franssen <[email protected]> Signed-off-by: divaspathak <[email protected]>
rturner3
pushed a commit
to rturner3/spire
that referenced
this pull request
Jan 12, 2023
This reverts commit 9d0b194.
rturner3
pushed a commit
to rturner3/spire
that referenced
this pull request
Jan 13, 2023
This reverts commit 9d0b194. Signed-off-by: Ryan Turner <[email protected]>
rturner3
pushed a commit
to rturner3/spire
that referenced
this pull request
Jan 13, 2023
This reverts commit 9d0b194. Signed-off-by: Ryan Turner <[email protected]>
azdagron
added a commit
to azdagron/spire
that referenced
this pull request
Jan 13, 2023
- Fixes a recent regression in permissions on the publish-artifact job (introduced by spiffe#3706). - Makes image publishing rely on the same jobs as artifact publishing so that we don't publish images but fail to publish the release if there is a failure in the windows jobs. Signed-off-by: Andrew Harding <[email protected]>
Merged
MarcosDY
pushed a commit
that referenced
this pull request
Jan 13, 2023
- Fixes a recent regression in permissions on the publish-artifact job (introduced by #3706). - Makes image publishing rely on the same jobs as artifact publishing so that we don't publish images but fail to publish the release if there is a failure in the windows jobs. Signed-off-by: Andrew Harding <[email protected]>
25 tasks
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
This allows to narrow down workflow permissions in GitHub settings See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token Signed-off-by: Marco Franssen <[email protected]>
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
- Fixes a recent regression in permissions on the publish-artifact job (introduced by spiffe#3706). - Makes image publishing rely on the same jobs as artifact publishing so that we don't publish images but fail to publish the release if there is a failure in the windows jobs. Signed-off-by: Andrew Harding <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows to narrow down workflow permissions in GitHub settings
See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token
Pull Request check list
Affected functionality
Description of change
This allows to set workflows by default to readonly and only request the permissions as they are needed for a certain job, reducing potential attack surface.
A repo admin can change the following setting once this is merged.
https://github.com/spiffe/spire/settings/actions
Which issue this PR fixes