Skip to content

Commit cf16613

Browse files
incertumincertum
authored
chore: restrict GitHub workflow permissions - future-proof (#1227)
See swiftlang/github-workflows#167 for additional context This approach aligns with security best practices, as detailed in the following documentation: - https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions - https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes - https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/ The default GITHUB_TOKEN permissions are defined at the repository level. This PR modifies the workflow-level overrides to conform to OpenSSF best practices -> defense in depth. Allow me to quote OpenSSF: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions > The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the top level and the required write permissions are declared at the run-level.” > Remediation steps > - Set top-level permissions as read-all or contents: read as described in GitHub's documentation. > - Set any required write permissions at the job-level. Only set the permissions required for that job; do not set permissions: write-all at the job level. Compare to the LLVM project: Top-level: contents read, e.g. https://github.com/swiftlang/llvm-project/blob/next/.github/workflows/build-ci-container-windows.yml#L3-L4 -> this makes it future-proof Job-level: Allow write permissions as needed, e.g. https://github.com/swiftlang/llvm-project/blob/next/.github/workflows/build-ci-container-windows.yml#L53-L58 Signed-off-by: Melissa Kilby <mkilby@apple.com>
1 parent cd8cac4 commit cf16613

File tree

3 files changed

+9
-0
lines changed

3 files changed

+9
-0
lines changed

.github/workflows/main.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Main
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches: [main]

.github/workflows/pull_request.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: PR
22

3+
permissions:
4+
contents: read
5+
36
on:
47
pull_request:
58
types: [opened, reopened, synchronize]

.github/workflows/pull_request_label.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: PR label
22

3+
permissions:
4+
contents: read
5+
36
on:
47
pull_request:
58
types: [labeled, unlabeled, opened, reopened, synchronize]

0 commit comments

Comments
 (0)