Set minimal workflow permissions #2772

pnacht · 2023-12-08T20:37:09Z

This repo's automated workflows currently run with write-all tokens. This puts the project at risk of supply-chain attacks. GitHub recommends ensuring all workflows run with minimal permissions.

I've taken a look at the workflows and they don't need such broad permissions.

This issue can be solved in two ways:

add top-level read-only permissions to all workflows; and/or
set the default token permissions to read-only in the repo settings.

I'll be sending a PR along with this issue that sets the top-level permissions (and grants additional permissions for the jobs that need them). If you instead (or also) wish to modify the default token permissions:

Open the repo settings
Go to Actions > General
Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation to improve the supply-chain security of important open-source projects.

mmmarcos · 2023-12-11T08:05:08Z

Thanks for the contribution and the details about the issue.

Changing default token permissions sounds like a good idea too. I do not have maintainer role for this repo, so @cmaureir @rtobar what do you think?

rtobar · 2023-12-11T13:42:50Z

I don't have a maintainer role either, and I also don't know who actually does -- I suspect @cmaureir does though. Otherwise we can ask in our Telegram group.

I left a minor comment in the PR, but overall I'm pretty happy with the changes. Like I said in the PR, I'll follow suit in other projects I maintain, I definitely like having a more strict token by default and avoid security risks.

Fixes #2772. This PR sets top-level read-only permissions on all CI/CD workflows. Jobs that require additional permissions (`stale.yml` and `pr-comment.yml`) are given them at the job-level. I made more significant changes in `pr-comment.yml`. It is vulnerable to code injection, since it runs files controlled by the PR author (`requirements.txt` and `scripts/list_missing_entries.py`, taken from the PR). I have therefore modified the workflow to checkout those files from the base branch instead, ensuring we're running trusted versions of those files. And in order to minimize the code that has access to the `issues/pull-requests: write` permissions, I have separated the workflow into two sequential jobs: 1. `define-comment`, which is unprivileged and does almost everything 2. `write-comment`, which has those additional permissions and uses them to perform the very last step of actually writing the comment on the PR. --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Co-authored-by: rtobar <rtobarc@gmail.com>

cmaureir · 2024-01-03T11:59:30Z

Thanks for your contribution :)

I'll be sending a PR along with this issue that sets the top-level permissions (and grants additional permissions for the jobs that need them). If you instead (or also) wish to modify the default token permissions:
1. Open the repo settings

2. Go to [Actions > General](https://github.com/python/python-docs-es/settings/actions)

3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

This is now done 🎉

pnacht mentioned this issue Dec 8, 2023

Set minimal workflow token permissions #2773

Merged

rtobar closed this as completed in #2773 Dec 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Set minimal workflow permissions #2772

Set minimal workflow permissions #2772

Uh oh!

Uh oh!

Uh oh!

Set minimal workflow permissions #2772

Set minimal workflow permissions #2772

Comments

Uh oh!

Uh oh!

Uh oh!