configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard

Published 20 hours ago verified publisher icon aws-actions

chore: Add token permissions to check.yml workflow

Open varunsh-coder opened this issue 4 years ago • 3 comments

Description of changes:

This PR adds token permissions to the check.yml workflow. This is a security best practice as per GitHub and is checked by OSSF Scorecard.

  1. I am collating security information about different GitHub Actions in an open-source knowledge-base to calculate minimum GITHUB_TOKEN permissions and restrict outbound traffic to allowed domains. As an owner of aws-actions/configure-aws-credentials Action, please review info about it in the knowledge-base here - specifically the reason for the token permissions the Action needs and expected outbound calls it makes.
  2. JFYI - You can easily add token permissions and other security best practices to other workflows in this repo using https://app.stepsecurity.io. It uses the knowledge base mentioned above...Do let me know if you have feedback. Thanks!

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

varunsh-coder avatar Dec 09 '21 20:12 varunsh-coder

@mergifyio update

peterwoodworth avatar Oct 05 '22 02:10 peterwoodworth

update

✅ Branch has been successfully updated

mergify[bot] avatar Oct 05 '22 02:10 mergify[bot]

Hi @peterwoodworth, this file is part of the https://github.com/step-security/secure-workflows project and has information about token permissions needed by the aws-actions/configure-aws-credentials GitHub Action. When one tries to add token permissions to a workflow that uses this Action, that file is used to calculate the permissions needed.

The project has such metadata for other Actions as well. As an example, if you try to add permissions to the CodeQL workflow in this repo with the below link, similar file for the CodeQL Action and others actions in the workflow are used to calculate permissions. https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/codeql-analysis.yml/master?enable=permissions

w.r.t why I added token permissions only to check.yml I am not sure. If you want, I can push a commit to this PR and add permissions to the remaining workflow files as well. Please let me know. Thanks!

varunsh-coder avatar Oct 06 '22 19:10 varunsh-coder

Closing due to staleness. Please reopen an issue if you would like this to remain on our radar, or submit a new PR with the requested changes. Thanks!

peterwoodworth avatar Feb 22 '23 02:02 peterwoodworth