Skip to content

Commit

Permalink
Auto merge of #101332 - sashashura:patch-1, r=pietroalbini
Browse files Browse the repository at this point in the history
GitHub Workflows security hardening

This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted.
It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case.
  • Loading branch information
bors committed Sep 18, 2022
2 parents 4af79cc + bd5aad3 commit a37499a
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
8 changes: 8 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,15 @@ name: CI
pull_request:
branches:
- "**"
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
pr:
permissions:
actions: write
name: PR
env:
CI_JOB_NAME: "${{ matrix.name }}"
Expand Down Expand Up @@ -142,6 +146,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.ARTIFACTS_AWS_ACCESS_KEY_ID)] }}"
if: "success() && !env.SKIP_JOB && (github.event_name == 'push' || env.DEPLOY == '1' || env.DEPLOY_ALT == '1')"
auto:
permissions:
actions: write
name: auto
env:
CI_JOB_NAME: "${{ matrix.name }}"
Expand Down Expand Up @@ -547,6 +553,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.ARTIFACTS_AWS_ACCESS_KEY_ID)] }}"
if: "success() && !env.SKIP_JOB && (github.event_name == 'push' || env.DEPLOY == '1' || env.DEPLOY_ALT == '1')"
try:
permissions:
actions: write
name: try
env:
CI_JOB_NAME: "${{ matrix.name }}"
Expand Down
9 changes: 9 additions & 0 deletions src/ci/github-actions/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,9 @@ on:
branches:
- "**"

permissions:
contents: read

defaults:
run:
# On Linux, macOS, and Windows, use the system-provided bash as the default
Expand All @@ -273,6 +276,8 @@ defaults:

jobs:
pr:
permissions:
actions: write # for rust-lang/simpleinfra/github-actions/cancel-outdated-builds
<<: *base-ci-job
name: PR
env:
Expand All @@ -293,6 +298,8 @@ jobs:
<<: *job-linux-xl

auto:
permissions:
actions: write # for rust-lang/simpleinfra/github-actions/cancel-outdated-builds
<<: *base-ci-job
name: auto
env:
Expand Down Expand Up @@ -719,6 +726,8 @@ jobs:
<<: *job-windows-xl

try:
permissions:
actions: write # for rust-lang/simpleinfra/github-actions/cancel-outdated-builds
<<: *base-ci-job
name: try
env:
Expand Down

0 comments on commit a37499a

Please sign in to comment.