From b2359f410a40f5e00a1944828f24ed636f278313 Mon Sep 17 00:00:00 2001 From: Ryan Ling Date: Wed, 23 Mar 2022 08:55:33 +1100 Subject: [PATCH 1/2] Lock down GitHub workflows - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions - https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions --- .changeset/lazy-ants-brush.md | 7 +++++++ .github/workflows/codeql-analysis.yml | 7 ++++++- .github/workflows/release.yml | 4 ++++ .github/workflows/validate.yml | 4 ++++ template/oss-npm-package/.github/workflows/release.yml | 4 ++++ template/oss-npm-package/.github/workflows/validate.yml | 4 ++++ 6 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 .changeset/lazy-ants-brush.md diff --git a/.changeset/lazy-ants-brush.md b/.changeset/lazy-ants-brush.md new file mode 100644 index 000000000..b25b0fb9e --- /dev/null +++ b/.changeset/lazy-ants-brush.md @@ -0,0 +1,7 @@ +--- +"skuba": patch +--- + +template/oss-npm-package: Lock down GitHub workflow permissions + +This aligns with [OpenSSF guidance](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions). diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 65193e49b..8f905f4d9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,14 +6,19 @@ name: CodeQL on: - push: pull_request: + push: schedule: - cron: '0 22 * * 0' +permissions: {} + jobs: analyze: name: Analyze + permissions: + actions: read + security-events: write runs-on: ubuntu-latest strategy: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5fa0553a..7987a3580 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,9 +6,13 @@ on: - beta - master +permissions: {} + jobs: release: name: Publish & Deploy + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Check out repo diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 7692eae89..98881ca76 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -15,9 +15,13 @@ on: workflows: - Release +permissions: {} + jobs: core: name: Lint & Test + permissions: + checks: write runs-on: ubuntu-latest steps: - name: Check out repo diff --git a/template/oss-npm-package/.github/workflows/release.yml b/template/oss-npm-package/.github/workflows/release.yml index 3791c324b..281bf3a6b 100644 --- a/template/oss-npm-package/.github/workflows/release.yml +++ b/template/oss-npm-package/.github/workflows/release.yml @@ -6,9 +6,13 @@ on: - beta - master +permissions: {} + jobs: release: name: Publish & Deploy + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Check out repo diff --git a/template/oss-npm-package/.github/workflows/validate.yml b/template/oss-npm-package/.github/workflows/validate.yml index 3c2a69dff..0ea4e7969 100644 --- a/template/oss-npm-package/.github/workflows/validate.yml +++ b/template/oss-npm-package/.github/workflows/validate.yml @@ -4,9 +4,13 @@ on: - pull_request - push +permissions: {} + jobs: validate: name: Lint & Test + permissions: + checks: write runs-on: ubuntu-latest steps: - name: Check out repo From 27f44a76ac7c1fbb9f5ed4218f7cd1e4983b9b76 Mon Sep 17 00:00:00 2001 From: Ryan Ling Date: Wed, 23 Mar 2022 08:58:54 +1100 Subject: [PATCH 2/2] Drop release scope We're using the `seek-oss-ci` token now. --- .github/workflows/release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f141876fb..e9ee657d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,8 +11,6 @@ permissions: {} jobs: release: name: Publish & Deploy - permissions: - contents: write runs-on: ubuntu-latest steps: - name: Check out repo