Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce permission for milestone GitHub Action #3193

Merged
merged 1 commit into from
Oct 10, 2023
Merged

Reduce permission for milestone GitHub Action #3193

merged 1 commit into from
Oct 10, 2023

Conversation

marcotc
Copy link
Member

@marcotc marcotc commented Oct 6, 2023
edited
Loading

This PR reduces the permission of the add-milestone-to-pull-requests GitHub Action to the minimum possible.

This is specially important on GitHub Actions that use the pull_request_target trigger, because it can run on pull requests by external contributors (which is what we want for this tagger action). More details about the dangers of pull_request_target here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Despite these concerns, pull_request_target is the trigger we want because we do want external pull requests to trigger this Action and have permission to edit the milestone of a pull request (a write permission).

Notes

The only other action using, the pull-request-labeler, already has minimum permissions declared, thanks to well-documented default permissions by the Action author:

dd-trace-rb/.github/workflows/pull-request-labeler.yml

Lines 7 to 9 in 5e27525

permissions:
contents: read
pull-requests: write

@marcotc marcotc self-assigned this Oct 6, 2023
@marcotc marcotc requested a review from a team as a code owner October 6, 2023 21:13
@github-actions github-actions bot added the dev/github Github repository maintenance and automation label Oct 6, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #3193 (8f9dfa7) into master (790e6b4) will increase coverage by 0.00%.
Report is 9 commits behind head on master.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #3193   +/-   ##
=======================================
  Coverage   98.21%   98.21%           
=======================================
  Files        1252     1252           
  Lines       71907    71937   +30     
  Branches     3329     3331    +2     
=======================================
+ Hits        70622    70654   +32     
+ Misses       1285     1283    -2
Files Coverage Δ
lib/datadog/appsec/processor.rb 94.18% <100.00%> (+0.28%) ⬆️
spec/datadog/appsec/processor_spec.rb 99.07% <100.00%> (+0.12%) ⬆️

... and 3 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@marcotc marcotc mentioned this pull request Oct 6, 2023
Merged
ivoanjo
ivoanjo approved these changes Oct 9, 2023
View reviewed changes
Copy link
Member

@ivoanjo ivoanjo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM. I took a look at the list of available permissions and it confirms (in a bit of a confusing way) that this is the right permission for the job.

@marcotc marcotc merged commit e56c150 into master Oct 10, 2023
176 checks passed
@marcotc marcotc deleted the reduce-gha-permission-milestone branch October 10, 2023 18:07
@anmarchenko anmarchenko mentioned this pull request Oct 16, 2023
Closed
@anmarchenko anmarchenko mentioned this pull request Oct 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GustavoCaso GustavoCaso GustavoCaso approved these changes

@ivoanjo ivoanjo ivoanjo approved these changes

@ekump ekump ekump approved these changes

Assignees

@marcotc marcotc

Labels
dev/github Github repository maintenance and automation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@marcotc @codecov-commenter @ekump @ivoanjo @GustavoCaso