Skip to content

Build: Limit permissions for GitHub workflows#5119

Merged
mgol merged 3 commits intojquery:mainfrom
sashashura:patch-1
Dec 1, 2022
Merged

Build: Limit permissions for GitHub workflows#5119
mgol merged 3 commits intojquery:mainfrom
sashashura:patch-1

Conversation

@sashashura
Copy link
Copy Markdown
Contributor

@sashashura sashashura commented Sep 20, 2022

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden node.js.yml permissions
a550a3c 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden codeql-analysis.yml permissions
a490702 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
Copy link
Copy Markdown
Contributor Author

sashashura commented Dec 1, 2022

@mgol Could you please review it?

@sashashura
Copy link
Copy Markdown
Contributor Author

sashashura commented Dec 1, 2022

An example of a recent workflow run with unrestricted permissions:
image

mgol
mgol reviewed Dec 1, 2022
View reviewed changes
Comment thread .github/workflows/codeql-analysis.yml Outdated
mgol
mgol approved these changes Dec 1, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@mgol mgol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@mgol mgol added this to the 3.6.2 milestone Dec 1, 2022
@mgol mgol changed the title GitHub Workflows security hardening Build: Limit permissions for GitHub workflows Dec 1, 2022
@mgol mgol merged commit c909d6b into jquery:main Dec 1, 2022
mgol pushed a commit that referenced this pull request Dec 1, 2022
@sashashura @mgol
Build: Limit permissions for GitHub workflows
0d9fae4 
Add explicit permissions section[^1] to workflows. This is a security
best practice because by default workflows run with extended set
of permissions[^2] (except from `on: pull_request` from external forks[^3].
By specifying any permission explicitly all others are set to none. By using
the principle of least privilege the damage a compromised workflow can do
(because of an injection[^4] or compromised third party tool or action) is
restricted. It is recommended to have most strict permissions on the top
level[^5] and grant write permissions on job level[^6] on a case by case
basis.

[^1]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
[^2]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
[^3]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
[^4]: https://securitylab.github.com/research/github-actions-untrusted-input/
[^5]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
[^6]: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Closes gh-5119

(cherry picked from commit c909d6b)
@mgol
Copy link
Copy Markdown
Member

mgol commented Dec 1, 2022

Landed on main in c909d6b and on 3.x-stable in 0d9fae4.

@timmywil timmywil added the Build label Feb 6, 2024
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Sep 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mgol mgol mgol approved these changes

Assignees

No one assigned

Labels

Build

Milestone

3.6.2

Development

Successfully merging this pull request may close these issues.

3 participants

@sashashura @mgol @timmywil