go-toolkit [security good practice] GitHub Action workflow, secrets.GITHUB_TOKEN now restricted by default (was permissive)

[security good practice] GitHub Action workflow, secrets.GITHUB_TOKEN now restricted by default (was permissive)

Open danielweck opened this issue 1 year ago • 2 comments

Please update your GitHub Action workflow YAML to include the permissions key and explicitly specify the read/write access rules your jobs actually require:

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

Jan 31 '24 10:01 danielweck

Relevant code: https://github.com/readium/go-toolkit/blob/70e1626f6623757da9b2886b9573230b85874485/.github/workflows/release.yml#L23-L29

Jan 31 '24 10:01 danielweck

In the Thorium project we need to create / delete / publish releases, and create / delete Git release tags. This is our GITHUB_TOKEN YAML configuration (as restrictive as possible):

https://github.com/edrlab/thorium-reader/blob/9d2bf56c181ec3da9634d30c12efdf067313efac/.github/workflows/main.yml#L9-L27

Jan 31 '24 11:01 danielweck

@danielweck Thanks for initially bringing up this issue, it's being fixed by PR #98

Sep 12 '24 07:09 chocolatkey

go-toolkit go-toolkit copied to clipboard

[security good practice] GitHub Action workflow, secrets.GITHUB_TOKEN now restricted by default (was permissive)

go-toolkit
go-toolkit copied to clipboard