BUG: starter-workflows does not ask workflows to declare permissions

[laurentsimon]

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token

Until recently, this repo did not follow the recommendations https://github.com/actions/starter-workflows/pull/1072/files. Thanks @varunsh-coder for helping out!

This repo is home to many "partnered" GitHub actions. However, it does not enforce the workflows follow these best practices.

I ran OSSF scorecard and found that most of the 80+ starter workflows don't declare their permissions. Just one example for ref https://github.com/actions/starter-workflows/blob/main/code-scanning/checkmarx.yml

Since this affects all users of the workflows, I think permissions should be enforced during PR reviews and maybe thru tooling to verify the permissions adhere to the principle of least privilege.

[laurentsimon]

cc @josepalafox

[josepalafox]

Nothing quite like learning you're the emperor with no clothes. Thank you for this, we'll have some internal discussions here. @pulkitaggarwl

[varunsh-coder]

Thanks @laurentsimon for tagging me! JFYI - I am working on a way for developers to set token permissions automatically in their workflows. The solution is open source, can be used from a website (no installation needed), and is based on a knowledge-base (KB) of different GitHub Actions. Would be great if you can suggest developers to use it to set token permissions (as part of the process that is setup to resolve this issue). Would be easier for them to do than to calculate permissions manually. It will also help improve the KB...in case the submitter owns a GitHub Action, they can add to the KB, which will benefit others...

[varunsh-coder]

I can fix token permissions for all the workflows while building out the KB (mentioned in comment above). would you prefer changes to be done for each workflow in separate PR? or should I fix multiple workflows in a single PR?

[bishal-pdMSFT]

@varunsh-coder thanks for pointing out the gap in starter workflows! 🙇
I will add a point in the PR template to call this out. And please feel free to raise PR for other workflows to fix their permission scope.

[varunsh-coder]

@varunsh-coder thanks for pointing out the gap in starter workflows! 🙇
I will add a point in the PR template to call this out. And please feel free to raise PR for other workflows to fix their permission scope.

Thanks @bishal-pdMSFT! It was @laurentsimon who pointed out the gap :), I am just trying to fix them.

Also, please note that @arjundashrath, @h0x0er, and @Devils-Knight are interns at StepSecurity, and will be creating PRs to fix permission scopes...

[laurentsimon]

Thanks @varunsh-coder for the hard work. This is making a real difference!

[github-actions]

This issue has become stale and will be closed automatically within a period of time. Sorry about that.

[Phantsure]

This issue is still relevant as all workflows don't have permissions

[varunsh-coder]

@Phantsure I see that all except one starter workflows is fixed. Is that right?

For this one, is there any action item for @h0x0er? Thanks!

[Phantsure]

@varunsh-coder Merged that as well. Thanks for bringing this up and thank you for the contributions

[morpheaux]

#1671

[github-actions]

This issue has become stale and will be closed automatically within a period of time. Sorry about that.

[github-actions]

This issue has become stale and will be closed automatically within a period of time. Sorry about that.