Set permissions for GitHub actions #6413
Conversation
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
|
The Tidelift Align workflow is failing because it needs to read an API key from the repo secrets. Please could you fix it? |
hugovk
changed the title
|
At the moment I am busy, could you please cherrypick and merge this commit? Thanks. |
|
There's no rush, whenever you're next free :) |
|
@hugovk I don't think Tidelift Align is failing because of the changes made here. I think it's failing because it's running from a fork, as has happened before. If I take the changes made here to the Tidelift Align workflow, and run it under python-pillow, it passes. |
|
Thank you! would you be able to merge this? |
|
Oh yes, this line skips running for forks (836f740): Pillow/.github/workflows/tidelift.yml Line 17 in fdf4084 But not for PRs from forks to upstream. It would be nice to only run for upstream pushes, or PRs from upstream forks (kind of like the inverse of https://github.com/has2k1/plotnine/blob/69a5289f625202411e2e543aad9c7f2cb9954fc7/.github/workflows/testing.yml#L10-L12), but we have enough guards so it only runs when certain files are changed, and this file is rarely changed, so it's probably not worth the bother. Let's merge this then, thanks! |
|
Note: GitHub Actions recently updated the default (ensuring that read-only permissions are in place makes sense; it seems ungreat to me that many projects had to expand their workflow definitions with additional vendor-specific configuration to gain better confidence about that though. so if it's possible to clean some of that up and simplify back to a more portable configuration, that could be worthwhile) |
|
Thanks for the update. I think there is still value here, as removing these might lower our 'Token-Permissions' score at https://deps.dev/pypi/pillow/, since they might not be aware of that. |
|
Ah, ok - good to know. Hmm.. is |
|
Tidelift, who kindly support Pillow, would like us to do well in a few of the OpenSSF scorecard checks. 'Token-Permissions' isn't actually one of the checks that Tidelift mentions, but that's the origin of the thinking. |
|
The new default only applies to new repos, we still have the read/write default:
|
|
Ek, thanks @hugovk. I should read more carefully :| |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: neilnaveen 42328488+neilnaveen@users.noreply.github.com