Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Granular Workflow Permissions #19026

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Granular Workflow Permissions #19026

wants to merge 2 commits into from
+28 −3

Conversation

nubtron
Copy link
Contributor

@nubtron nubtron commented Nov 11, 2024
edited
Loading

What does this PR do?

This PR implements the necessary preparations to set default workflow permissions to "Read-only" and to disable "Allow GitHub Actions to create and approve pull requests". We want to set those options to their most restrictive values for security reasons. See https://datadoghq.atlassian.net/browse/VULN-8234 for more information.

I did my best to isolate and test steps that might require permissions, but since actions that require permissions typically have side effects (for eg. creating a release), I didn't test everything. If you get permission issues after this PR is merged reach out to me!

The permissions affect GITHUB_TOKEN.

Here are some jobs that were confirmed not to require write permissions:

  • upload-artifact. It uses a system separate from GITHUB_TOKEN.
  • Creating a GitHub App Token.
  • Deleting an artifact with geekyeggo/delete-artifact@v5
  • Writing / or restoring a cache with actions/cache@v4.
  • Writing a comment while using the DD_AGENT_INTEGRATIONS_BOT_PRIVATE_KEY.

Our actions that update dependencies, label PRs or create backports should not be affected as they use the Agent Integrations App key, not the GitHub token.

Temporary workflow I used to check permissions:
https://github.com/DataDog/integrations-core/actions/runs/11818825782/workflow
Here is a run:
https://github.com/DataDog/integrations-core/actions/runs/11798454943/job/32864652866

Motivation

This PR is the first step in complying with https://datadoghq.atlassian.net/browse/VULN-8234.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@nubtron nubtron added the qa/skip-qa Automatically skip this PR for the next QA label Nov 11, 2024
@nubtron nubtron self-assigned this Nov 11, 2024
@datadog-agent-integrations-bot
Copy link
Contributor

Permissions Test

2 similar comments
@datadog-agent-integrations-bot
Copy link
Contributor

Permissions Test

@datadog-agent-integrations-bot
Copy link
Contributor

Permissions Test

@nubtron nubtron force-pushed the nubtron/granular-workflow-permissions branch from d466f6f to 46a62bd Compare November 13, 2024 09:01
@codecov Codecov
Copy link

codecov bot commented Nov 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.75%. Comparing base (1583b10) to head (9ce0ec0).
Report is 6 commits behind head on master.

Additional details and impacted files
Flag Coverage Δ
activemq ?
cassandra ?
hive ?
hivemq ?
hudi ?
ignite ?
jboss_wildfly ?
kafka ?
presto ?
solr ?
sqlserver 91.05% <100.00%> (+9.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@nubtron nubtron closed this Nov 13, 2024
@nubtron nubtron force-pushed the nubtron/granular-workflow-permissions branch from 46a62bd to 1583b10 Compare November 13, 2024 16:54
@nubtron nubtron reopened this Nov 13, 2024
@nubtron nubtron marked this pull request as ready for review November 13, 2024 17:00
@nubtron nubtron requested review from a team as code owners November 13, 2024 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nubtron nubtron

Labels
agent/review-requested changelog/no-changelog dev/testing dev/tooling docs/review-requested ecosystems/review-requested product/review-requested qa/skip-qa Automatically skip this PR for the next QA team/agent-delivery new name for agent-build-and-delivery team/agent-integrations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nubtron