chore: Set permissions for GitHub actions#2400
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2400 +/- ##
=======================================
Coverage 62.96% 62.96%
=======================================
Files 133 133
Lines 17287 17287
=======================================
Hits 10885 10885
Misses 6402 6402 📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more |
| permissions: | ||
| actions: read # for github/codeql-action/init to get workflow details | ||
| contents: read # for actions/checkout to fetch code | ||
| security-events: write # for github/codeql-action/autobuild to send a status report |
There was a problem hiding this comment.
Based on the log the security events still seem to have read permissions only. Though the rest was indeed set to none. Is this an upstream bug or I misunderstand something?
GITHUB_TOKEN Permissions
Actions: read
Contents: read
Metadata: read
SecurityEvents: read
There was a problem hiding this comment.
AFAIK, the SecurityEvents: write is required for writing events. Thanks!
There was a problem hiding this comment.
Yes, that's the problem here, I still see it as "read" rather than "write" in the logs for this PR:
https://github.com/astropy/astroquery/runs/6469748769?check_suite_focus=true#step:1:20
|
Thank you @naveensrinivasan. The PR is certainly an improvement of the current situation, I'll go ahead and merge, but first would like to understand one minor point. |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
f19b7f5 to
0a145f3
Compare
Thanks! Took care of the conflicts! |
|
OK, so let's go ahead with this. I suppose that Thank you! |
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: naveen 172697+naveensrinivasan@users.noreply.github.com