ER: Create Epic to address GitHub permissions vulnerabilities

[gaylem]

Emergent Requirement - Problem

Right now, our permissions are set to read and write but this isn't best practice. According to GitHub, "It's good security practice to set the default permission for the GITHUB_TOKEN to read access only for repository contents. The permissions can then be increased, as required, for individual jobs within the workflow file."

Screenshot of current repo settings:

The GITHUB_TOKEN is automatically created and available for use in your workflows without any extra setup. It can be used for lots of things, like PR automation, workflow triggers, and accessing the GitHub API. It's probably the right token for a lot of the things we do. However, it does have some limitations, such as restricted scopes for certain actions. For more sensitive operations or when more specific permissions are needed, you may need to use custom secrets with more finely tuned scopes. If we change it to read only instead of read/write, it will have an even more limited scope.

Additionally, we are setting specific permissions in some of our workflow files (Ex: codeql.yml). In some cases this may be redundant.

This epic and its issues should determine whether or not the permissions set in workflows are needed if we change the GITHUB_TOKEN scope to read only. Or, perhaps we will need to add additional write permissions. In other words, we need an audit of our permissions across our workflows to identify where we need to restrict or expand access for each workflow.

Issue you discovered this emergent requirement in

• Update codeql.yml to automatically create new CodeQL issues #6503

Date discovered

2024-04-15

Did you have to do something temporarily

• YES
• NO

Who was involved

@gaylem

What happens if this is not addressed

If this isn't addressed, there's an increased risk of unintended changes being made to the repository, potentially leading to data loss, security breaches, or other issues.

By following best practices and setting the default permission to read access, we will reduce the potential impact of any accidental or malicious actions, as the token will only have the ability to read repository contents. This minimizes the risk of unauthorized modifications and helps ensure the overall security of our GitHub workflows.

Resources

• Security Hardening for GitHub Actions

Recommended Action Items

• Make a new issue
• Discuss with team
• Let a Team Lead know

Potential solutions [draft]

We need an issue to assess how we handle permissions in GitHub. This issue needs to accomplish the following:

1. Identify all files that use more than read permissions
2. Create an epic
3. Add issues to the epic to modify permissions on each file individually and test locally

We need to be sure we won't introduce any breaking changes before flipping the repo setting back to read-only

[ExperimentsInHonesty]

@gaylem

• Please review this issue Epic: Create issues to update GHA wiki pages with testing info #6402 and determine if you recommend that it be a dependency for the Epic you are recommending in this ER.

[gaylem]

Hey @ExperimentsInHonesty, I don't think that testing will be impacted by this issue and so #6402 shouldn't be a dependency.

The only way testing might be impacted is if we have to create new tokens or change any scopes. That may not happen, though, and it doesn't make sense to delay updating our overall GHA instructions to wait for this.

Personally, I think updating the instructions is a more pressing issue and would rather make some minor tweaks later on if our audit reveals a need for token changes.

Let me know what you think. Thanks!

[ExperimentsInHonesty]

Make the following issues

• Audit all the workflow files to determine what permissions each require (this issue creates the spreadsheet and details what they find)
• Reviewing the list of permission (in the spreadsheet), write a decision record on how to improve existing policy
• Epic for making template and issue that will change the permissions (IM2)
  • change permissions in one file
  • ...

[HackforLABot]

Hi @dcotelessa, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)