kubernetes-client icon indicating copy to clipboard operation
kubernetes-client copied to clipboard

Published 20 hours ago verified publisher icon fabric8io

GitHub Workflows security hardening

Open sashashura opened this issue 2 years ago • 3 comments

Description

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

Type of change

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ ] Feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change
  • [x] Chore (non-breaking change which doesn't affect codebase; test, version modification, documentation, etc.)

Checklist

  • [x] Code contributed by me aligns with current project license: Apache 2.0
  • [ ] I Added CHANGELOG entry regarding this change
  • [ ] I have implemented unit tests to cover my changes
  • [ ] I have added/updated the javadocs and other documentation accordingly
  • [x] No new bugs, code smells, etc. in SonarCloud report
  • [ ] I tested my code in Kubernetes
  • [ ] I tested my code in OpenShift

sashashura avatar Nov 03 '22 23:11 sashashura

Let me know if anything is unclear.

sashashura avatar Nov 30 '22 21:11 sashashura

Let me know if anything is unclear.

I assume you did this in some automated fashion targeting multiple repos.

Please check some of the files you've modified and look for something that might look odd to you ;)

manusa avatar Dec 02 '22 10:12 manusa

Yes, it is impossible to do it at scale without some automation as Jonathan did. Do you remember what was failing in the releases workflows? Logs are not available now. Maybe I can fix it. It can be still worth to grant it contents: write permission only to do a release instead of granting all of these permissions:

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

What about e2e-tests workflows?

sashashura avatar Dec 02 '22 10:12 sashashura

outdated

manusa avatar Mar 28 '24 14:03 manusa