Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review the GITHUB_TOKEN permissions #70

Open
serdardalgic opened this issue Nov 17, 2022 · 0 comments
Open

Review the GITHUB_TOKEN permissions #70

serdardalgic opened this issue Nov 17, 2022 · 0 comments
Labels
github_actions Pull requests that update GitHub Actions code

Comments

@serdardalgic
Copy link
Contributor

Right now, any of the GH actions are using the default permissions, which are quite permissive.

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

Any of the GH Action runs shows these permissions during Set up job phase.

Here is the documentation to modify the GITHUB_TOKEN permissions. We may need to experiment on the GH Actions on what kind of permission they may need so that we can remove the unnecessary ones.

Because the 3rd party hooks have already run at least once, and the likelihood of exploitation is low. This Issue is a long term improvement on our CI pipeline, and not a blocker for the releases.

@l0r3bo can you provide more details on how to solve this issue? Thank you in advance.
@serdardalgic serdardalgic added the github_actions Pull requests that update GitHub Actions code label Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
github_actions Pull requests that update GitHub Actions code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@serdardalgic