CI: Set minimum permissions on GitHub Workflows #764
Comments
|
@diogoteles08 Thanks! I looked at the docs, and I think I'd be most comfortable with a PR, if you don't mind Goreleaser recommends these permissions for their action: The rest is just standard tests. |
|
Of course, I'll be raising the PR shortly |
klauspost
pushed a commit
that referenced
this issue
Mar 3, 2023
Closes #764 Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello!
I'd like to suggest the definition of minimal permissions on your GitHub workflows, as it would harden your security agains supply-chain attacks. I see that one of your workflows (codeql-analysis) declares job-level minimal dependencies, but the other workflows don't actually define them, and they would be set as the GitHub defaults.
The ideal is to always define top-level minimal permissions(that would be inherited by all jobs with unspecified permissions), and then use job-level permissions for any job that might need other specific permissions. In this way you would be secured against erroneous or malicious actions from external jobs you call from your workflow. It's specially important in the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
I'd be happy to raise a PR with the changes if you agree.
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊
The text was updated successfully, but these errors were encountered: