Use minimum GITHUB_TOKEN permissions for each job #1740
Assignees
Labels
Comments
dfarrell07
added
size:medium
dfarrell07
added a commit
to dfarrell07/submariner
that referenced
this issue
Mar 23, 2022
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07
added a commit
that referenced
this issue
Mar 28, 2022
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until #1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <[email protected]>
astoycos
pushed a commit
to astoycos/submariner
that referenced
this issue
Apr 14, 2022
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <[email protected]>
astoycos
pushed a commit
to astoycos/submariner
that referenced
this issue
Apr 14, 2022
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until submariner-io#1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <[email protected]>
anfredette
pushed a commit
that referenced
this issue
Apr 15, 2022
This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: dependabot/dependabot-core#2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until #1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell <[email protected]>
|
It's weird this doesn't fail: submariner-io/lighthouse#821 Maybe the permissions changes don't take effect on PRs to prevent some attacks? Maybe they have to be merged? |
dfarrell07
added a commit
to dfarrell07/lighthouse
that referenced
this issue
Aug 19, 2022
Set the GitHub Actions token permission to null in all workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are: GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read I suspect the dependent issues job may need PullRequests: read Issues: read but it would be nice to verify it does fail without them. That's not possible to test from a PR because the job triggers from merged config. Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
tpantelis
pushed a commit
to submariner-io/lighthouse
that referenced
this issue
Aug 22, 2022
Set the GitHub Actions token permission to null in all workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are: GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read I suspect the dependent issues job may need PullRequests: read Issues: read but it would be nice to verify it does fail without them. That's not possible to test from a PR because the job triggers from merged config. Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
|
@dfarrell07 is there anything left for review here? |
The periodic markdown link check job's permissions still need tweaking, I'll use |
|
Broken link job permissions are sorted out: #2063 |
dfarrell07
added a commit
to dfarrell07/admiral
that referenced
this issue
Oct 19, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07
added a commit
to dfarrell07/lighthouse
that referenced
this issue
Oct 19, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07
added a commit
to dfarrell07/releases
that referenced
this issue
Oct 19, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
skitt
pushed a commit
to submariner-io/lighthouse
that referenced
this issue
Oct 19, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
skitt
pushed a commit
to submariner-io/admiral
that referenced
this issue
Oct 19, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07
added a commit
to dfarrell07/releases
that referenced
this issue
Oct 20, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07
added a commit
to dfarrell07/enhancements
that referenced
this issue
Oct 20, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
tpantelis
pushed a commit
to submariner-io/releases
that referenced
this issue
Oct 21, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
skitt
pushed a commit
to submariner-io/enhancements
that referenced
this issue
Oct 24, 2022
The issue reporting step of the Markdown broken link check GitHub Action is failing due to missing permissions. > Error: Resource not accessible by integration Relates-to: submariner-io/submariner#1740 Signed-off-by: Daniel Farrell <[email protected]>
|
This has been completed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
GITHUB_TOKENused by some GitHub Actions can be configured topermissiveorrestricted. We currently usepermissiveas a GitHub Organizational default. We should instead userestrictedas the GitHub Organizational default and explicitly grant the minimum required permissions to each job/workflow.https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
Example per-workflow: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#example-1-passing-the-github_token-as-an-input
Example per-job: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#example-2-calling-the-rest-api
Depends on #2042
Depends on #2054
Depends on #1799
Depends on submariner-io/admiral#438
Depends on submariner-io/cloud-prepare#424
Depends on submariner-io/lighthouse#913
Depends on submariner-io/releases#515
Depends on submariner-io/shipyard#994
Depends on submariner-io/subctl#310
Depends on submariner-io/submariner-charts#284
Depends on submariner-io/submariner-operator#2292
Depends on submariner-io/submariner-website#839
Depends on submariner-io/enhancements#140
The text was updated successfully, but these errors were encountered: