Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github actions: set workflow permissions to read-only #1662

Closed
jku opened this issue Nov 4, 2021 · 0 comments · Fixed by #1663
Closed

github actions: set workflow permissions to read-only #1662

jku opened this issue Nov 4, 2021 · 0 comments · Fixed by #1663

Comments

@jku
Copy link
Member

jku commented Nov 4, 2021

Description of issue or feature request:

We could set the CI workflow permissions to read-only in the workflow:

  • pull_request runs are already always read-only so they are not affected: this only affects the runs on merge commits
  • this is not about creating a real security barrier but more of a devops hygiene thing: having write access to everything in the repository and github project is not great, so it would be better if a commit that needs write access then also needs to visibly change the permissions in the workflow file.

Current behavior:
Default GITHUB_TOKEN Permissions on merge runs:

  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

Expected behavior:
These permissions are likely enough for our CI workflow:

  Contents: read
  Metadata: read
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

github: explicitly set workflow permissions jku/python-tuf
1 participant
@jku