jx icon indicating copy to clipboard operation
jx copied to clipboard

Published 20 hours ago verified publisher icon jenkins-x

GitHub Workflows security hardening

Open sashashura opened this issue 3 years ago • 2 comments
trafficstars

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

sashashura avatar Sep 20 '22 12:09 sashashura

Hi @sashashura. Thanks for your PR.

I'm waiting for a jenkins-x or todo member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the jenkins-x/lighthouse repository.

jenkins-x-bot avatar Sep 20 '22 12:09 jenkins-x-bot

/ok-to-test

ankitm123 avatar Sep 27 '22 22:09 ankitm123

Codecov Report

Base: 34.30% // Head: 35.86% // Increases project coverage by +1.55% :tada:

Coverage data is based on head (69e1338) compared to base (c5db7d8). Patch has no changes to coverable lines.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8370      +/-   ##
==========================================
+ Coverage   34.30%   35.86%   +1.55%     
==========================================
  Files          11       11              
  Lines        1233     1252      +19     
==========================================
+ Hits          423      449      +26     
+ Misses        765      758       -7     
  Partials       45       45
Impacted Files Coverage Δ
pkg/cmd/version/version.go 84.44% <0.00%> (+14.02%) :arrow_up:

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

codecov[bot] avatar Sep 27 '22 23:09 codecov[bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ankitm123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

jenkins-x-bot avatar Oct 21 '22 20:10 jenkins-x-bot