Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: ensure least privilege permissions for GHA tokens #12035

Merged
merged 1 commit into from
Oct 19, 2023
Merged

ci: ensure least privilege permissions for GHA tokens #12035

merged 1 commit into from
Oct 19, 2023

Conversation

agilgur5
Copy link
Member

@agilgur5 agilgur5 commented Oct 18, 2023
edited
Loading

Partial fix for #12031, Token Permissions

Motivation

  • This is an OpenSSF Scorecard check: Token Permissions
    • Not many changes required, but the ones made ensure that if a new GHA Job is added to an existing GHA Workflow, it will only have read-only permissions unless explicitly specified in the GHA Job itself

Modifications

Basically follow the OpenSSF Scorecard directions

  • default to permissions.contents: read for read-only permissions for a GHA Workflow

    • this was missing from pr.yaml and was write for docs.yaml

  • only add needed permissions per specific GHA Job

    • move the permissions.contents: write for docs.yaml into the docs: Job

  • also add comments for why all permissions are needed

Verification

  • pr.yaml still successfully runs on this PR
  • docs.yaml has no real semantic changes since there was only 1 GHA job there anyway

@agilgur5
ci: ensure least privilege permissions for GHA tokens
8fb949e 
- this is an [OpenSSF Scorecard check](https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#token-permissions)

- default to `permissions.contents: read` for read-only permissions for a GHA Workflow
  - this was missing from `pr.yaml` and was `write` for `docs.yaml`
- only add needed permissions per specific GHA Job
  - move the `permissions.contents: write` for `docs.yaml` into the `docs:` Job

- also add comments for why all permissions are needed

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 added type/security Security related area/build Build or GithubAction/CI issues labels Oct 18, 2023
@agilgur5 agilgur5 mentioned this pull request Oct 18, 2023
Open
7 tasks
@terrytangyuan terrytangyuan merged commit 247448c into argoproj:master Oct 19, 2023
17 checks passed
@agilgur5 agilgur5 deleted the ci-least-privilege-tokens branch October 19, 2023 23:37
@agilgur5 agilgur5 mentioned this pull request Oct 29, 2023
Open
@agilgur5 agilgur5 mentioned this pull request Nov 20, 2023
Merged
@agilgur5 agilgur5 mentioned this pull request May 1, 2024
Merged
5 tasks
@agilgur5 agilgur5 added this to the v3.5.x patches milestone May 27, 2024
agilgur5 added a commit that referenced this pull request May 27, 2024
@agilgur5
ci: ensure least privilege permissions for GHA tokens (#12035)
c9a1212 
(cherry picked from commit 247448c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

Assignees
No one assigned
Labels
area/build Build or GithubAction/CI issues type/security Security related
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.
2 participants
@agilgur5 @terrytangyuan