cobra icon indicating copy to clipboard operation
cobra copied to clipboard

Published 20 hours ago verified publisher icon spf13

ci: add minimum GitHub token permissions for workflows

Open varunsh-coder opened this issue 2 years ago • 1 comments

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

GitHub Actions workflows have a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflows: https://github.com/spf13/cobra/runs/8125223301?check_suite_focus=true#step:1:19

After this change, the scopes will be reduced to the minimum needed for each workflow.

Motivation and Context

  • This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
  • GitHub recommends defining minimum GITHUB_TOKEN permissions. https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
  • The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Varun Sharma [email protected]

varunsh-coder avatar Sep 01 '22 00:09 varunsh-coder

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Sep 01 '22 00:09 CLAassistant