dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Limit top-level permissions for `labeler` workflow

Open JamieMagee opened this issue 1 year ago • 2 comments

By default the top-level GITHUB_TOKEN has all permissions^1. This change removes all permissions by default, as recommended by the GitHub Actions security hardening guide^2. Also see the related alert: https://github.com/dependabot/dependabot-core/security/code-scanning/277

This change is a low risk test. I plan to modify all other workflows if this works okay.

JamieMagee avatar May 21 '24 05:05 JamieMagee

Will it still be able to apply labels, without any permissions?

jurre avatar May 21 '24 07:05 jurre

@jurre Yes, the triage job in the workflow has the following permissions:

permissions:
  contents: read
  pull-requests: write

In general, the guide asks you to only put common read permissions at the top level, and scope write permissions to the specific jobs that require them. This workflow only has a single job, so it makes no real difference splitting the content: read to the top-level, and the pull-requests: write to the job level.

JamieMagee avatar May 21 '24 15:05 JamieMagee