Skip to content

CI: add GitHub token permissions for workflows #21505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

CI: add GitHub token permissions for workflows #21505

wants to merge 1 commit into from

Conversation

varunsh-coder
Copy link

This pull request adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

This project is part of the top critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Before the change:
GITHUB_TOKEN has write permissions for multiple scopes, e.g.
https://github.com/ArduPilot/ardupilot/runs/7944472442?check_suite_focus=true#step:1:19

After the change:
GITHUB_TOKEN will have minimum permissions needed for the jobs.

Signed-off-by: Varun Sharma [email protected]

@varunsh-coder varunsh-coder mentioned this pull request Aug 22, 2022
Open
@khancyr
Copy link
Contributor

khancyr commented Aug 22, 2022

hello,

We decide that is not worth the trouble for now see conversation here :
#21097

Thanks anyway

@khancyr khancyr closed this Aug 22, 2022
@varunsh-coder
Copy link
Author

Hi @khancyr, even though workflows in this repo do not have explicit secrets, the GITHUB_TOKEN is made available in all GitHub Actions workflows. As an example, this token is used by the actions/checkout GitHub Action to authenticate to GitHub to fetch the code. https://github.com/actions/checkout/blob/2541b1294d2704b0964813337f33b291d3f8596b/action.yml#L24

The permissions for this GITHUB_TOKEN are shown in the workflow logs. Below is an example links for a workflow for this repo. You can see it has write permissions as of now, which are not needed.
https://github.com/ArduPilot/ardupilot/runs/7944472442?check_suite_focus=true#step:1:19

Here is a real example of a previous incident, which can be prevented if the token permissions are restricted:
https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke-into-microsoft-vs-codes-github/

Just wanted to share all the information, so you can make an informed decision. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@varunsh-coder @khancyr