terminal
terminal copied to clipboard
microsoft
GitHub Workflows security hardening
This PR adds explicit permissions section to workflows. This is a
security best practice because by default workflows run with extended
set of permissions (except from on: pull_request from external
forks). By specifying any permission explicitly all others are set to
none. By using the principle of least privilege the damage a compromised
workflow can do (because of an injection or compromised third party
tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.
Since this job does write to the project board, do we need to add these permissions to the job object?:
permissions:
repository-projects: write
It looks like the answer is no, because (1) it doesn't target repository projects and (2) we do have an explicit PAT assigned for it to do its work organization-wide.
Hello @DHowett!
Because this pull request has the AutoMerge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.
p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.
Apologies, I am afraid I am encountering technical difficulties that might have hampered my ability to assist with merging this pull request. I will continue to try to assist if there are further changes to this pull request.
It looks like the answer is no, because (1) it doesn't target repository projects and (2) we do have an explicit PAT assigned for it to do its work organization-wide.
Yes, the permission is not needed because you use a dedicated PAT for this and the permissions sections affects only the automatically generated temporary GITHUB_TOKEN. Although it is not used it is accessible and quite powerful, so it is better set it's permissions to none.