Skip to content

Use minimal permissions for CI jobs#885

Merged
newpavlov merged 1 commit intomasterfrom
ci_permissions
Apr 3, 2023
Merged

Use minimal permissions for CI jobs#885
newpavlov merged 1 commit intomasterfrom
ci_permissions

Conversation

@newpavlov
Copy link
Member

@newpavlov newpavlov commented Apr 2, 2023
edited
Loading

For most jobs we only need to read the contents to run tests. But I am not sure which permissions should be used for the security audit job. I think it should be something like:

permissions:
  contents: read
  checks: write
  issues: write

For now I will leave the default permissions.

Relevant issues: actions-rs/audit-check#218, actions-rs/audit-check#220

@newpavlov newpavlov requested a review from tarcieri April 2, 2023 03:47
@tarcieri
Copy link
Member

tarcieri commented Apr 2, 2023

FWIW I went through the repos and set the permissions to read-only quite awhile ago:

https://github.com/RustCrypto/utils/settings/actions

Screenshot 2023-04-02 at 8 31 22 AM

This could be belt-and-suspenders, I guess, but using administrative actions rather than configurations seems like a bit more surefire approach.

@newpavlov
Copy link
Member Author

newpavlov commented Apr 3, 2023

It looks like this setting is equivalent to the restricted column with some additional rights to manipulate pull requests. It will be hard to do something malicious with such rights, but either way using tighter permissions probably will not hurt.

@newpavlov newpavlov merged commit 13385f6 into master Apr 3, 2023
@newpavlov newpavlov deleted the ci_permissions branch April 3, 2023 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri Awaiting requested review from tarcieri

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@newpavlov @tarcieri