Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-10575 add minimum GitHub token permissions for workflows #6469

Closed
wants to merge 1 commit into from
Closed

NIFI-10575 add minimum GitHub token permissions for workflows #6469

wants to merge 1 commit into from

Conversation

ashishkurmi
Copy link
Contributor

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs:
https://github.com/apache/nifi/actions/runs/3167551611/jobs/5158128990#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflows:

  • ci-workflow.yml
  • stale.yml
  • system-tests.yml

Motivation and Context

  • This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
  • GitHub recommends defining minimum GITHUB_TOKEN permissions.
  • The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

@ashishkurmi
ci: add minimum GitHub token permissions for workflows
28690f8 
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
@ashishkurmi ashishkurmi mentioned this pull request Oct 2, 2022
Open
@ashishkurmi ashishkurmi changed the title ci: add minimum GitHub token permissions for workflows NIFI-10575 add minimum GitHub token permissions for workflows Oct 3, 2022
exceptionfactory
exceptionfactory approved these changes Oct 3, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for improvement and creating the associated Jira for tracking @boahc077! The changes look good! +1 merging

@exceptionfactory exceptionfactory added the hacktoberfest-accepted Hacktoberfest Accepted label Oct 3, 2022
@exceptionfactory exceptionfactory mentioned this pull request Oct 3, 2022
Closed
p-kimberley pushed a commit to p-kimberley/nifi that referenced this pull request Oct 15, 2022
@ashishkurmi @sashashura @p-kimberley
NIFI-10575 Added minimum GitHub token permissions for workflows
1d8f536 
This closes apache#6469

Signed-off-by: David Handermann <exceptionfactory@apache.org>
Co-authored-by: Ashish Kurmi <akurmi@stepsecurity.io>
Co-authored-by: Alex <aleksandrosansan@gmail.com>
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@exceptionfactory exceptionfactory exceptionfactory approved these changes

Assignees
No one assigned
Labels
hacktoberfest-accepted Hacktoberfest Accepted
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ashishkurmi @exceptionfactory