From 0a3b095056ded77f10e6eea397ae60556b04bb3c Mon Sep 17 00:00:00 2001 From: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Date: Tue, 31 May 2022 01:08:21 +0000 Subject: [PATCH 1/7] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index faf9bf56d..0f5913632 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,14 @@ on: - push - pull_request +permissions: + contents: read + jobs: test: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code runs-on: ${{ matrix.os }} strategy: matrix: @@ -55,6 +61,8 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} parallel: true coverage: + permissions: + checks: write # for coverallsapp/github-action to create new checks needs: test runs-on: ubuntu-latest steps: From 2502201a1935e54982126ef267f2684e05e7e786 Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sat, 4 Jun 2022 08:17:32 +0200 Subject: [PATCH 2/7] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0f5913632..a2cae2863 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: parallel: true coverage: permissions: - checks: write # for coverallsapp/github-action to create new checks + checks: write needs: test runs-on: ubuntu-latest steps: From 54550468b9511e3550079de384fce5a28e82f32e Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sat, 4 Jun 2022 08:17:48 +0200 Subject: [PATCH 3/7] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a2cae2863..232c0b3f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ permissions: jobs: test: permissions: - checks: write # for coverallsapp/github-action to create new checks + checks: write # Needed for coverallsapp/github-action. contents: read # for actions/checkout to fetch code runs-on: ${{ matrix.os }} strategy: From 9a3d585bb547e38ff94052ed17d77a187ff2ae96 Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sat, 4 Jun 2022 08:22:19 +0200 Subject: [PATCH 4/7] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 232c0b3f0..4741cf712 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,6 @@ jobs: test: permissions: checks: write # Needed for coverallsapp/github-action. - contents: read # for actions/checkout to fetch code runs-on: ${{ matrix.os }} strategy: matrix: From 7e74017e02c0153d35171d00d3377af063875677 Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sat, 4 Jun 2022 08:32:59 +0200 Subject: [PATCH 5/7] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4741cf712..ad7c9cbea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,7 @@ on: - push - pull_request -permissions: - contents: read +permissions: {} jobs: test: From a3953efe3b56a905ea9bdf6a1de6debfd6d649de Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sat, 4 Jun 2022 08:33:04 +0200 Subject: [PATCH 6/7] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad7c9cbea..eb43f5814 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,8 +8,6 @@ permissions: {} jobs: test: - permissions: - checks: write # Needed for coverallsapp/github-action. runs-on: ${{ matrix.os }} strategy: matrix: From c90e7230cde4c178928d83b551b7a79bcc507314 Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sat, 4 Jun 2022 08:33:08 +0200 Subject: [PATCH 7/7] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb43f5814..a3a787a65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,8 +57,6 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} parallel: true coverage: - permissions: - checks: write needs: test runs-on: ubuntu-latest steps: