ci: add GitHub token permissions for workflows

[varunsh-coder]

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
• https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards treats not setting token permissions as a high-risk issue

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Before the change:
GITHUB_TOKEN has write permissions for multiple scopes, e.g.
https://github.com/rubocop/rubocop/runs/7939389109?check_suite_focus=true#step:1:19

After the change:
GITHUB_TOKEN will have minimum permissions needed for the jobs.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

---

Before submitting the PR make sure the following are checked:

• The PR relates to only one subject with a clear title and description in grammatically correct, complete sentences.
• Wrote good commit messages.
• Commit message starts with [Fix #issue-number] (if the related issue exists).
• Feature branch is up-to-date with master (if not - rebase it).
• Squashed related commits together.
• Added tests.
• Ran bundle exec rake default. It executes all tests and runs RuboCop on its own code.
• Added an entry (file) to the changelog folder named {change_type}_{change_description}.md if the new code introduces user-observable changes. See changelog entry format for details.

[bbatsov]

@rubocop/rubocop-core Anyone familiar with these token permissions to provide a review?

[koic]

There seem to be some similar PRs opened and I found a discussion at Node.js repository.
nodejs/node#43743

It seems that there are pros and cons, and it is difficult for me to judge whether or not to merge this. And I have no curiosity and opinion about this yet.

[varunsh-coder]

Hi @koic and @bbatsov, please let me know if I can answer any questions for you.
To add more information:

1. Not only for nodejs (as mentioned by @koic), the pull requests I created to add GITHUB token permissions for over 30 critical projects have been merged. You can see the list here: Fix token permissions for 100 critical open-source projects step-security/secure-repo#462
2. The GITHUB token is always present in GitHub Actions workflows and has write permissions by default. Here is an example for this repo's workflow: https://github.com/rubocop/rubocop/runs/7939389109?check_suite_focus=true#step:1:19. If one of the Actions has a vulnerability or gets compromised, this token can be used to overwrite code or releases.
3. Here is an example, where security researcher exploited this for VS Code : https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke-into-microsoft-vs-codes-github/

This change reduces the token permissions, so even if compromised, it cannot be used to cause damage. GitHub itself recommends adding minimum token permissions.

Please let me know if you have any questions about this. I am also curious what is the con that you see with this change?Thanks!

[bbatsov]

Please let me know if you have any questions about this. I am also curious what is the con that you see with this change?Thanks!

I don't see any cons, I'm just wary of breaking something by doing changes we don't fully understand. Anyways, I've reviewed your suggestion and the links you've provided and everything looks good to me. Can you rebase on top of master to address the merge conflict?

[bbatsov]

@varunsh-coder ping :-)

[varunsh-coder]

@varunsh-coder ping :-)

Sorry for the delay. I will do this today.

[varunsh-coder]

@varunsh-coder ping :-)

Sorry for the delay. I will do this today.

Done.

[bbatsov]

Thanks!