ER: Create Epic to address GitHub permissions vulnerabilities

[gaylem]

Emergent Requirement - Problem

Right now, our permissions are set to read and write but this isn't best practice. According to GitHub, "It's good security practice to set the default permission for the GITHUB_TOKEN to read access only for repository contents. The permissions can then be increased, as required, for individual jobs within the workflow file."

Screenshot of current repo settings:

The GITHUB_TOKEN is automatically created and available for use in your workflows without any extra setup. It can be used for lots of things, like PR automation, workflow triggers, and accessing the GitHub API. It's probably the right token for a lot of the things we do. However, it does have some limitations, such as restricted scopes for certain actions. For more sensitive operations or when more specific permissions are needed, you may need to use custom secrets with more finely tuned scopes. If we change it to read only instead of read/write, it will have an even more limited scope.

Additionally, we are setting specific permissions in some of our workflow files (Ex: codeql.yml). In some cases this may be redundant.

This epic and its issues should determine whether or not the permissions set in workflows are needed if we change the GITHUB_TOKEN scope to read only. Or, perhaps we will need to add additional write permissions. In other words, we need an audit of our permissions across our workflows to identify where we need to restrict or expand access for each workflow.

Issue you discovered this emergent requirement in

• https://github.com/hackforla/website/pull/6503

Date discovered

2024-04-15

Did you have to do something temporarily

• [ ] YES
• [x] NO

Who was involved

@gaylem

What happens if this is not addressed

If this isn't addressed, there's an increased risk of unintended changes being made to the repository, potentially leading to data loss, security breaches, or other issues.

By following best practices and setting the default permission to read access, we will reduce the potential impact of any accidental or malicious actions, as the token will only have the ability to read repository contents. This minimizes the risk of unauthorized modifications and helps ensure the overall security of our GitHub workflows.

Resources

• Security Hardening for GitHub Actions

Recommended Action Items

• [x] Make a new issue
• [x] Discuss with team
• [x] Let a Team Lead know

Potential solutions [draft]

We need an issue to assess how we handle permissions in GitHub. This issue needs to accomplish the following:

1. Identify all files that use more than read permissions
2. Create an epic
3. Add issues to the epic to modify permissions on each file individually and test locally

We need to be sure we won't introduce any breaking changes before flipping the repo setting back to read-only