Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #3751

Merged
merged 7 commits into from
Sep 27, 2022
Merged

GitHub Workflows security hardening #3751

merged 7 commits into from
Sep 27, 2022

Conversation

sashashura
Copy link

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@netlify
Copy link

netlify bot commented Sep 26, 2022
edited
Loading

Deploy Preview for compassionate-pike-271cb3 ready!

Name Link
🔨 Latest commit ceb0a38
🔍 Latest deploy log https://app.netlify.com/sites/compassionate-pike-271cb3/deploys/63319971caa2e500095ab047
😎 Deploy Preview https://deploy-preview-3751--compassionate-pike-271cb3.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@IvanGoncharov IvanGoncharov merged commit 770acd6 into graphql:main Sep 27, 2022
IvanGoncharov added a commit to IvanGoncharov/graphql-js that referenced this pull request Dec 11, 2022
@IvanGoncharov
workflows: fix and cleanup permissions
66f162f 
Context: graphql#3751 added permissions to workflows.
It broke some of the workflows and was partially fixed in 3759
This PR attempt to fix rest of workflows and also cleanup permissions in general.
Assignining granular permissions is error-prone especially if we need to account of top-level workflow's permissions.
This PR attempt to solve this by explicitly listing permissions on each individual job.
It slightly increase verbosity for some workflows but is more maintanable by keeping permissions closer to steps that require them.
@IvanGoncharov IvanGoncharov mentioned this pull request Dec 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
PR: internal 🏠
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sashashura @IvanGoncharov