Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Add GitHub token permissions for workflows #34298

Merged
merged 1 commit into from May 22, 2022
Merged

ci: Add GitHub token permissions for workflows #34298

merged 1 commit into from May 22, 2022

Conversation

varunsh-coder
Copy link
Contributor

Description of Change

GitHub asks developers to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue.

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Checklist

Release Notes

Notes: Added minimum GITHUB_TOKEN permissions

@welcome
Copy link

welcome bot commented May 20, 2022

💖 Thanks for opening this pull request! 💖

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

  • fix: don't overwrite prevent_default if default wasn't prevented
  • feat: add app.isPackaged() method
  • docs: app.isDefaultProtocolClient is now available on Linux

Things that will help get your PR across the finish line:

  • Follow the JavaScript, C++, and Python coding style.
  • Run npm run lint locally to catch formatting errors earlier.
  • Document any user-facing changes you've made following the documentation styleguide.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@varunsh-coder varunsh-coder mentioned this pull request May 20, 2022
Open
@MarshallOfSound MarshallOfSound merged commit ff13fa8 into electron:main May 22, 2022
@welcome
Copy link

welcome bot commented May 22, 2022

Congrats on merging your first pull request! 🎉🎉🎉

@release-clerk
Copy link

release-clerk bot commented May 22, 2022

Release Notes Persisted

Added minimum GITHUB_TOKEN permissions

@commit-lint commit-lint bot mentioned this pull request Jul 26, 2022
Open
@varunsh-coder varunsh-coder mentioned this pull request Jul 28, 2022
Open
32 tasks
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
khalwa pushed a commit to solarwindscloud/electron that referenced this pull request Feb 22, 2023
@varunsh-coder @khalwa
ci: Add GitHub token permissions for workflows (electron#34298)
2401647 
ci: add GitHub token permissions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

Assignees
No one assigned
Labels
no-backport semver/none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@varunsh-coder @MarshallOfSound