GitHub Workflows security hardening #7728
Conversation
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
|
Realm welcomes all contributions! The only requirement we have is that, like many other projects, we need to have a Contributor License Agreement (CLA) in place before we can accept any external code. Our own CLA is a modified version of the Apache Software Foundation’s CLA. Our records show that CLA has not been signed by @sashashura. Please submit your CLA electronically using our Google form so we can accept your submissions. After signing the CLA you can recheck this PR with a |
|
@cla-bot check |
|
The cla-bot has been summoned, and re-checked this pull request! |
|
Hey @sashashura, thank you for the contribution! It totally makes sense to assign the smallest needed permission set, but I am trying to understand the security implications of the change - since we don't use the |
|
Yes, the threat model in this case is a compromise of a building tool. Your case is a little more specific since you call only actions. There are other ways to protect from a compromised action, like hash pinning, but the general principle still applies - run program with least needed privileges (like do not run with sudo unnecessarily). An example of currently assigned permissions: |
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_requestfrom external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.