node icon indicating copy to clipboard operation
node copied to clipboard

Published 20 hours ago verified publisher icon nodejs

GitHub Workflows security hardening

Open sashashura opened this issue 2 years ago • 1 comments

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

sashashura avatar Sep 19 '22 07:09 sashashura

Review requested:

  • [ ] @nodejs/actions

nodejs-github-bot avatar Sep 19 '22 07:09 nodejs-github-bot

Commit Queue failed
- Loading data for nodejs/node/pull/44717
✔  Done loading data for nodejs/node/pull/44717
----------------------------------- PR info ------------------------------------
Title      GitHub Workflows security hardening (#44717)
Author     Alex  (@sashashura, first-time contributor)
Branch     sashashura:patch-3 -> nodejs:main
Labels     meta
Commits    3
 - build: update timezone-update.yml
 - Update .github/workflows/timezone-update.yml
 - Update .github/workflows/timezone-update.yml
Committers 2
 - sashashura 
 - GitHub 
PR-URL: https://github.com/nodejs/node/pull/44717
Reviewed-By: Antoine du Hamel 
Reviewed-By: Mestery 
Reviewed-By: Tierney Cyren 
Reviewed-By: Rich Trott 
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/44717
Reviewed-By: Antoine du Hamel 
Reviewed-By: Mestery 
Reviewed-By: Tierney Cyren 
Reviewed-By: Rich Trott 
--------------------------------------------------------------------------------
   ℹ  This PR was created on Mon, 19 Sep 2022 07:55:47 GMT
   ✔  Approvals: 4
   ✔  - Antoine du Hamel (@aduh95) (TSC): https://github.com/nodejs/node/pull/44717#pullrequestreview-1112285332
   ✔  - Mestery (@Mesteery): https://github.com/nodejs/node/pull/44717#pullrequestreview-1112371619
   ✔  - Tierney Cyren (@bnb): https://github.com/nodejs/node/pull/44717#pullrequestreview-1113891532
   ✔  - Rich Trott (@Trott) (TSC): https://github.com/nodejs/node/pull/44717#pullrequestreview-1122390678
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
   ⚠  PR author is a new contributor: @sashashura([email protected])
   ⚠  - commit 262a449ce41e is authored by [email protected]
   ⚠  - commit a82a98fcec48 is authored by [email protected]
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/3137643152

nodejs-github-bot avatar Sep 27 '22 17:09 nodejs-github-bot

Commit Queue failed
- Loading data for nodejs/node/pull/44717
✔  Done loading data for nodejs/node/pull/44717
----------------------------------- PR info ------------------------------------
Title      GitHub Workflows security hardening (#44717)
Author     Alex  (@sashashura, first-time contributor)
Branch     sashashura:patch-3 -> nodejs:main
Labels     meta, commit-queue-squash
Commits    3
 - build: update timezone-update.yml
 - Update .github/workflows/timezone-update.yml
 - Update .github/workflows/timezone-update.yml
Committers 2
 - sashashura 
 - GitHub 
PR-URL: https://github.com/nodejs/node/pull/44717
Reviewed-By: Antoine du Hamel 
Reviewed-By: Mestery 
Reviewed-By: Tierney Cyren 
Reviewed-By: Rich Trott 
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/44717
Reviewed-By: Antoine du Hamel 
Reviewed-By: Mestery 
Reviewed-By: Tierney Cyren 
Reviewed-By: Rich Trott 
--------------------------------------------------------------------------------
   ℹ  This PR was created on Mon, 19 Sep 2022 07:55:47 GMT
   ✔  Approvals: 4
   ✔  - Antoine du Hamel (@aduh95) (TSC): https://github.com/nodejs/node/pull/44717#pullrequestreview-1112285332
   ✔  - Mestery (@Mesteery): https://github.com/nodejs/node/pull/44717#pullrequestreview-1112371619
   ✔  - Tierney Cyren (@bnb): https://github.com/nodejs/node/pull/44717#pullrequestreview-1113891532
   ✔  - Rich Trott (@Trott) (TSC): https://github.com/nodejs/node/pull/44717#pullrequestreview-1122390678
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
   ⚠  PR author is a new contributor: @sashashura([email protected])
   ⚠  - commit 262a449ce41e is authored by [email protected]
   ⚠  - commit a82a98fcec48 is authored by [email protected]
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/3137833546

nodejs-github-bot avatar Sep 27 '22 17:09 nodejs-github-bot

Landed in 629d2bfca02e

Trott avatar Sep 27 '22 18:09 Trott

Thanks for the contribution. 🎉

Trott avatar Sep 27 '22 18:09 Trott