Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add minimum GitHub token permissions for workflows #2819

Merged

Conversation

ashishkurmi
Copy link
Contributor

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs:
https://github.com/stan-dev/math/actions/runs/3153019054/jobs/5128975789#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflows:

  • header_checks.yml
  • main.yml

Motivation and Context

  • This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
  • GitHub recommends defining minimum GITHUB_TOKEN permissions.
  • The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi [email protected]

Copy link
Member

@WardBrian WardBrian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for bringing this up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants