-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Workflows security hardening #2695
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@kant2002 could you please review? |
Thanks Alex for your initiative. I believe we still have the right permissions to push hints and snapshot with the separate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alas, with this PR as it is now, the answer is no: we are hit by https://github.com/orgs/community/discussions/26694 . From what I understand from that discussion and https://github.com/actions/checkout#checkout-v3, the token used by actions/checkout
is persisted by default, and in that case, it is impossible to also use a separate token at the same time.
I opened sashashura#1 to fix that. @sashashura Could you please have a look? Thank you in advance!
Could you try with the following code instead? It sounds to me you have a special token and don't need the autogenerated one. - name: Check out repo
uses: actions/checkout@v2
with:
token: ${{ secrets.DZOMO_GITHUB_TOKEN }} In the referenced link it is about doing |
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_request
from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.