frontends-team-compass icon indicating copy to clipboard operation
frontends-team-compass copied to clipboard

Published 20 hours ago verified publisher icon jupyterlab

Reducing security risk in our GitHub workflows

Open afshin opened this issue 3 years ago • 4 comments

We have switched the default behavior for this org to "Workflows have read permissions in the repository for the contents scope only" to utilize GitHub Actions: Control permissions for GITHUB_TOKEN . See also https://github.com/jupyterhub/team-compass/issues/404

An example PR that allows fine-grained permissions is https://github.com/jupyterlab/jupyterlab/pull/10136.

afshin avatar Apr 22 '21 14:04 afshin

As a precaution for JupyterLab Desktop, can we harden its publish action? CC @mbektas:

  • could we use conda-incubator/setup-miniconda over s-weigand/setup-conda (more eyes on the former one)
  • could we hash-pin svenstaro/upload-release-action?
  • could we hash-pin codex-team/action-nodejs-package-info?

Or maybe some of these are not needed in the first place.

krassowski avatar Oct 23 '21 21:10 krassowski

At jupyterlab-translate, we may want to hash-pin ncipollo/release-action (again, few watchers).

krassowski avatar Oct 23 '21 22:10 krassowski

As a precaution for JupyterLab Desktop, can we harden its publish action? CC @mbektas:

  • could we use conda-incubator/setup-miniconda over s-weigand/setup-conda (more eyes on the former one)
  • could we hash-pin svenstaro/upload-release-action?
  • could we hash-pin codex-team/action-nodejs-package-info?

Or maybe some of these are not needed in the first place.

I think these changes make sense for precaution.

mbektas avatar Oct 25 '21 15:10 mbektas

@conda-incubator/setup-miniconda maintainer creator here 😶 ... no pressure 😆

goanpeca avatar Oct 25 '21 15:10 goanpeca