Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add minimum GitHub token permissions for workflows #13057

Merged
merged 1 commit into from
Sep 9, 2022
Merged

ci: add minimum GitHub token permissions for workflows #13057

merged 1 commit into from
Sep 9, 2022

Conversation

ashishkurmi
Copy link
Contributor

Description

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes.
Here is an example of the permissions in one of the workflow runs:
https://github.com/openSUSE/open-build-service/runs/8251662522?check_suite_focus=true#step:1:19

After this change, the scopes will be reduced to the minimum needed for the following workflows:

  • brakeman.yml
  • pull_request_labeler.yml

The following workflow file already has the least privileged token permission set:

  • scorecards.yml

Motivation and Context

Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io

@ashishkurmi
ci: add minimum GitHub token permissions for workflows
81d5a3b 
Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
@github-actions github-actions bot added the Test Suite / CI 💉 Things related to our tests/CI label Sep 9, 2022
@ashishkurmi ashishkurmi mentioned this pull request Sep 9, 2022
Open
@krauselukas
Copy link
Contributor

@boahc077 thanks for your contribution!

krauselukas
krauselukas approved these changes Sep 9, 2022
View reviewed changes
Copy link
Contributor

@krauselukas krauselukas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@hennevogel hennevogel merged commit 209bf99 into openSUSE:master Sep 9, 2022
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krauselukas krauselukas krauselukas approved these changes

Assignees
No one assigned
Labels
Test Suite / CI 💉 Things related to our tests/CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ashishkurmi @krauselukas @hennevogel