GitHub Workflows security hardening #4587
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gradle Check (Jenkins) Run Completed with:
|
Codecov Report
@@ Coverage Diff @@
## main #4587 +/- ##
=========================================
Coverage 70.98% 70.98%
+ Complexity 58185 58169 -16
=========================================
Files 4711 4711
Lines 277573 277573
Branches 40180 40180
=========================================
+ Hits 197031 197040 +9
- Misses 64386 64392 +6
+ Partials 16156 16141 -15
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
dreamer-89
approved these changes
Sep 26, 2022
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
dblock
approved these changes
Sep 27, 2022
Gradle Check (Jenkins) Run Completed with:
|
saratvemulapalli
approved these changes
Sep 27, 2022
saratvemulapalli
added
backport 2.x
VachaShah
reviewed
Sep 27, 2022
.github/workflows/version.yml
Outdated
| jobs: | ||
| build: | ||
| permissions: | ||
| contents: write # to create branch (peter-evans/create-pull-request) |
There was a problem hiding this comment.
This might not need the permissions since the token used here is from the Github App Token from an app and not the default Github token.
There was a problem hiding this comment.
Sorry for missing that. You are right. Fixed.
Gradle Check (Jenkins) Run Completed with:
|
dblock
approved these changes
Sep 29, 2022
Gradle Check (Jenkins) Run Completed with:
|
|
Please amend commits to fix DCO with |
dblock
reviewed
Oct 5, 2022
CHANGELOG.md
Outdated
| @@ -6,6 +6,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) | |||
|
|
|||
| ### Added | |||
|
|
|||
| - GitHub Workflows token permission hardening ([#4587](https://github.com/opensearch-project/OpenSearch/pull/4587)) | |||
There was a problem hiding this comment.
Nit: maybe we can turn all these changelog lines into something that was actioned, e.g. Hardened token permissions in GitHub workflow?
sashashura
force-pushed
the
patch-1
branch
3 times, most recently
from
34a40e0
to
d89482d
Compare
Signed-off-by: sashashura <aleksandrosansan@gmail.com>
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
|
I don't think the gradle check failure is related to the changes, but let me know. |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
|
@reta Could you please review it? |
reta
approved these changes
Dec 1, 2022
mch2
added
backport 2.x
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-4587-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d266a732aea4cf87781acf93e92c56ad3f1d0913
# Push it to GitHub
git push --set-upstream origin backport/backport-4587-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.xThen, create a pull request where the |
mch2
pushed a commit
to mch2/OpenSearch
that referenced
this pull request
Jan 30, 2023
Signed-off-by: sashashura <aleksandrosansan@gmail.com> Signed-off-by: sashashura <aleksandrosansan@gmail.com> (cherry picked from commit d266a73)
6 tasks
|
Manual backport #6097 |
mch2
pushed a commit
to mch2/OpenSearch
that referenced
this pull request
Jan 30, 2023
Signed-off-by: sashashura <aleksandrosansan@gmail.com> Signed-off-by: sashashura <aleksandrosansan@gmail.com> (cherry picked from commit d266a73) Signed-off-by: Marc Handalian <handalm@amazon.com>
mch2
pushed a commit
to mch2/OpenSearch
that referenced
this pull request
Jan 30, 2023
Signed-off-by: sashashura <aleksandrosansan@gmail.com> Signed-off-by: sashashura <aleksandrosansan@gmail.com> (cherry picked from commit d266a73) Signed-off-by: Marc Handalian <handalm@amazon.com>
6 tasks
andrross
pushed a commit
that referenced
this pull request
Jan 30, 2023
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_requestfrom external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.