chore: Set permissions for GitHub actions#1942
chore: Set permissions for GitHub actions#1942neilnaveen wants to merge 3 commits intohome-assistant:devfrom
Conversation
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
|
Hi @neilnaveen, It seems you haven't yet signed a CLA. Please do so here. Once you do that we will be able to review and accept this pull request. Thanks! |
|
Can you also add global to the |
|
I guess for |
| permissions: | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
Instead of this default workflow permissions should be set to read
https://github.com/home-assistant/operating-system/settings/actions
There was a problem hiding this comment.
Agreed, other than in the dev workflow, let's remove those. I will switch to the restricted setting in the project setting once we've merged this.
There was a problem hiding this comment.
I disagree with that.
We do not need global additional scopes, each job should set what they need.
There was a problem hiding this comment.
Right, we only need it in the first job afact.
There was a problem hiding this comment.
Please delete this, as we will set the default to read, so no explicit permissions are required here.
| - cron: "0 * * * *" | ||
| workflow_dispatch: | ||
|
|
||
| permissions: |
There was a problem hiding this comment.
Instead of this default workflow permissions should be set to read
https://github.com/home-assistant/operating-system/settings/actions
Co-authored-by: Joakim Sørensen <hi@ludeeus.dev>
I have added global permissions for both release.yml and dev.yml |
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
This one we'll have too keep as it adds an additional global permission.
There was a problem hiding this comment.
So we need this in the prepare job.
There was a problem hiding this comment.
Sorry I don't get it. What do you want me to do? Please let me know. Thanks
There was a problem hiding this comment.
Essentially, move these three lines into the job description, under
jobs:
prepare:
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
Essentially, move these three lines into the job description, under
jobs:
prepare:
| permissions: | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
Please delete this, as we will set the default to read, so no explicit permissions are required here.
| types: [published] | ||
|
|
||
| permissions: | ||
| contents: read |
| - cron: "0 * * * *" | ||
| workflow_dispatch: | ||
|
|
||
| permissions: |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: neilnaveen 42328488+neilnaveen@users.noreply.github.com