Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minimize GHA permissions #470

Merged
merged 3 commits into from
Sep 19, 2022
Merged

Conversation

dfarrell07
Copy link
Member

@dfarrell07 dfarrell07 commented Aug 24, 2022

Set the GitHub Actions token permission to null in most workflows.

This results in:

GITHUB_TOKEN Permissions
Metadata: read

The default permissions, used without the null override, are either

GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write

or

GITHUB_TOKEN Permissions
Actions: read
Checks: read
Contents: read
Deployments: read
Discussions: read
Issues: read
Metadata: read
Packages: read
Pages: read
PullRequests: read
RepositoryProjects: read
SecurityEvents: read
Statuses: read

Jobs triggered by PRs get read permissions, other jobs get write.

A few jobs require non-null permissions to function.

The dependent issues GHA needs PR/issues write permissions to add/remove
dependent labels. It needs status write permission to block/unblock
PRs when dependencies are missing/met. Fails with HttpError otherwise.

The release job needs permissions to publish releases on GitHub and
create/edit PRs. The exact permissions for this job might need tweaking.

The testing workflow already had specific permissions granted.

Signed-off-by: Daniel Farrell [email protected]

@submariner-bot
Copy link

🤖 Created branch: z_pr470/dfarrell07/gha_min_perms

.github/workflows/testing.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
Copy link
Contributor

@mkolesnik mkolesnik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should work, we'll find out if not on m1 😄

.github/workflows/release.yml Outdated Show resolved Hide resolved
@mkolesnik
Copy link
Contributor

Some weird failure on the tests when it tried to set up the qemu builder - https://github.com/submariner-io/releases/runs/8073137805?check_suite_focus=true#step:3:95

Seems to fail on docker pull.
I'm not really sure how it relates to your permission changes.

Set the GitHub Actions token permission to null in most workflows.

This results in:

GITHUB_TOKEN Permissions
  Metadata: read

The default permissions, used without the null override, are either

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

or

GITHUB_TOKEN Permissions
  Actions: read
  Checks: read
  Contents: read
  Deployments: read
  Discussions: read
  Issues: read
  Metadata: read
  Packages: read
  Pages: read
  PullRequests: read
  RepositoryProjects: read
  SecurityEvents: read
  Statuses: read

Jobs triggered by PRs get read permissions, other jobs get write.

A few jobs require non-null permissions to function.

The dependent issues GHA needs PR/issues write permissions to add/remove
`dependent` labels. It needs status write permission to block/unblock
PRs when dependencies are missing/met. Fails with HttpError otherwise.

The release job needs permissions to publish releases on GitHub and
create/edit PRs. The exact permissions for this job might need tweaking.

The testing workflow already had specific permissions granted.

Signed-off-by: Daniel Farrell <[email protected]>
@nyechiel
Copy link
Member

@dfarrell07 let's get it merged soon.. this seems a bit risky so we don't want to wait until the final stages of 0.14.

@dfarrell07
Copy link
Member Author

CC @skitt for a re-review

@dfarrell07 dfarrell07 merged commit 81d4ead into submariner-io:devel Sep 19, 2022
@submariner-bot
Copy link

🤖 Closed branches: [z_pr470/dfarrell07/gha_min_perms]

dfarrell07 added a commit to dfarrell07/releases that referenced this pull request Sep 21, 2022
After submariner-io#470, the release GitHub Action workflow is failing to add labels
to PRs.

```
gh pr edit --add-label e2e-all-k8s \
submariner-io/submariner#2032
GraphQL: Your token has not been granted the required scopes to execute
this query. The 'login' field requires one of the following scopes:
['read:org'], but your token has only been granted the:
['admin:repo_hook', 'delete:packages', 'notifications', 'repo',
'workflow', 'write:discussion', 'write:packages'] scopes. Please modify
your token's scopes at: https://github.com/settings/tokens.
INFO: Didn't label 'e2e-all-k8s', continuing without it.
```

The only explination I can find of that permisson is:

> read:org Read org and team membership, read org projects

I can also see that permission is a subset of admin:org. It seems to be
different than `read:project Read access of projects` somehow.

It's not clear which GITHUB_TOKEN permisison we can set relates to those
token permissions.

docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

It doesn't seem possible set all permissions to read and only some to
write, as setting any specific permission overrides read-all.

For now, trying the only permission that seems even vaguely related.

Signed-off-by: Daniel Farrell <[email protected]>
skitt pushed a commit that referenced this pull request Sep 21, 2022
After #470, the release GitHub Action workflow is failing to add labels
to PRs.

```
gh pr edit --add-label e2e-all-k8s \
submariner-io/submariner#2032
GraphQL: Your token has not been granted the required scopes to execute
this query. The 'login' field requires one of the following scopes:
['read:org'], but your token has only been granted the:
['admin:repo_hook', 'delete:packages', 'notifications', 'repo',
'workflow', 'write:discussion', 'write:packages'] scopes. Please modify
your token's scopes at: https://github.com/settings/tokens.
INFO: Didn't label 'e2e-all-k8s', continuing without it.
```

The only explination I can find of that permisson is:

> read:org Read org and team membership, read org projects

I can also see that permission is a subset of admin:org. It seems to be
different than `read:project Read access of projects` somehow.

It's not clear which GITHUB_TOKEN permisison we can set relates to those
token permissions.

docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

It doesn't seem possible set all permissions to read and only some to
write, as setting any specific permission overrides read-all.

For now, trying the only permission that seems even vaguely related.

Signed-off-by: Daniel Farrell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants