Skip to content

chore(stale-action): Add GitHub token permissions #35713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LekoArts merged 2 commits into from
May 24, 2022
Merged

chore(stale-action): Add GitHub token permissions #35713

LekoArts merged 2 commits into from
May 24, 2022

Conversation

@varunsh-coder
Copy link
Contributor

@varunsh-coder varunsh-coder commented May 22, 2022

Description

GitHub asks developers to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue.

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label May 22, 2022
@varunsh-coder varunsh-coder mentioned this pull request May 22, 2022
Open
@LekoArts LekoArts added topic: automation Related to Circle CI, Peril, Renovate, scripts/*, Github Workflows, Github Actions, or Slackbot and removed status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer labels May 24, 2022
@LekoArts LekoArts changed the title ci: Add GitHub token permissions for workflow chore(stale-action): Add GitHub token permissions May 24, 2022
@LekoArts LekoArts merged commit 763940c into gatsbyjs:master May 24, 2022
@varunsh-coder varunsh-coder mentioned this pull request Jul 28, 2022
Open
32 tasks
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@LekoArts LekoArts LekoArts approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

topic: automation Related to Circle CI, Peril, Renovate, scripts/*, Github Workflows, Github Actions, or Slackbot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@varunsh-coder @LekoArts