Devin.ford/workflow updates #30172
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: Octo STS Test | ||
| on: | ||
| pull_request: | ||
| branches: | ||
| - master | ||
| types: ["review_requested", "synchronize", "opened", "reopened"] | ||
|
|
||
| jobs: | ||
| read-other-repo: | ||
| name: read contents of another repo | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write # Needed to federate tokens. | ||
| steps: | ||
| # <TESTING> Only for debugging, remove after testing | ||
| - name: Debug OIDC Claims | ||
| uses: github/actions-oidc-debugger@main | ||
|
There was a problem hiding this comment. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag (...read more)Pin third party actions by hashWhen using a third party action, one needs to provide its GitHub path ( No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are mutable, using a full length hash is recommended to make sure the action's content is actually frozen to some reviewed state. If you wanna benefit from auto-updates, you can enable Dependabot on your repository. It is able to update actions pinned by hash and comment version numbers after them for better readability (see for instance this example PR).
|
||
| with: | ||
| audience: "octo-debugger" | ||
| # </TESTING> | ||
| - uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1 | ||
| id: octo-sts | ||
| with: | ||
| scope: DataDog | ||
| policy: documentation.read-org-members | ||
| - name: Use GH token | ||
| run: | | ||
| gh auth status | ||
| gh api orgs/DataDog/teams/documentation/members | ||
| env: | ||
| GH_TOKEN: ${{ steps.octo-sts.outputs.token }} | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Check the permissions granted to jobs
Datadog’s GitHub organization defines default permissions for the
GITHUB_TOKENto be restricted (contents:read,metadata:readandpackages:read).Your repository may require different setup, but please consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromission.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. Please note they can be defined at the job or the workflow level.