🌱 Set permissions for GitHub actions #6672
Conversation
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <[email protected]>
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @neilnaveen! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @neilnaveen. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/S
| @@ -2,8 +2,14 @@ name: golangci-lint | |||
| on: | |||
| pull_request: | |||
| types: [opened, edited, synchronize, reopened] | |||
| permissions: | |||
There was a problem hiding this comment.
Why are we specifying permission top-level and in the job? If I understood it correctly top-level applies to the whole file and the one in the job only to the job. But we only have one job in this file (and in others) so this seems to be redundant?
(same for the other files)
| jobs: | ||
| golangci: | ||
| permissions: | ||
| contents: read # for actions/checkout to fetch code | ||
| pull-requests: read # for golangci/golangci-lint-action to fetch pull requests |
There was a problem hiding this comment.
Q: Does the golangci-lint action really fetch PRs?
There was a problem hiding this comment.
Optional: allow read access to pull request. Use with
only-new-issuesoption.
xref: https://github.com/golangci/golangci-lint-action
So in our case I think it is not necessary.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retitle 🌱 Set permissions for GitHub actions |
k8s-ci-robot
changed the title
|
Do you have time to address the findings? |
I don't have time at the moment, could you please cherrypick and merge these changes? |
Will do. Thx for letting us now! /close Superseded by #6818 |
|
@sbueringer: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: neilnaveen [email protected]