New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add GitHub token permissions for workflows #10947
Conversation
@rubocop/rubocop-core Anyone familiar with these token permissions to provide a review? |
There seem to be some similar PRs opened and I found a discussion at Node.js repository. It seems that there are pros and cons, and it is difficult for me to judge whether or not to merge this. And I have no curiosity and opinion about this yet. |
Hi @koic and @bbatsov, please let me know if I can answer any questions for you.
This change reduces the token permissions, so even if compromised, it cannot be used to cause damage. GitHub itself recommends adding minimum token permissions. Please let me know if you have any questions about this. I am also curious what is the con that you see with this change?Thanks! |
I don't see any cons, I'm just wary of breaking something by doing changes we don't fully understand. Anyways, I've reviewed your suggestion and the links you've provided and everything looks good to me. Can you rebase on top of |
@varunsh-coder ping :-) |
Sorry for the delay. I will do this today. |
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
e91d9e1
to
99ad719
Compare
Done. |
Thanks! |
This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.
GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows
This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.
Before the change:
GITHUB_TOKEN
haswrite
permissions for multiple scopes, e.g.https://github.com/rubocop/rubocop/runs/7939389109?check_suite_focus=true#step:1:19
After the change:
GITHUB_TOKEN
will have minimum permissions needed for the jobs.Signed-off-by: Varun Sharma varunsh@stepsecurity.io
Before submitting the PR make sure the following are checked:
[Fix #issue-number]
(if the related issue exists).master
(if not - rebase it).bundle exec rake default
. It executes all tests and runs RuboCop on its own code.{change_type}_{change_description}.md
if the new code introduces user-observable changes. See changelog entry format for details.