Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Set permissions for GitHub actions #2997

Merged
merged 2 commits into from
Sep 19, 2022
Merged

chore: Set permissions for GitHub actions #2997

merged 2 commits into from
Sep 19, 2022

Conversation

neilnaveen
Copy link
Contributor

@neilnaveen
chore: Set permissions for GitHub actions
28c2d73 
 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
@kataggart kataggart added this to To Do in Conditioning++ via automation Jun 23, 2022
@nvoxland nvoxland added the SafeToBuild Indicates that a particular PR contains changes which are safe to build using GitHub actions label Aug 31, 2022
@github-actions
Copy link

github-actions bot commented Aug 31, 2022
edited

Unit Test Results

  4 620 files  ±0    4 620 suites  ±0   31m 53s ⏱️ - 3m 57s
  4 619 tests ±0    4 404 ✔️ ±0     215 💤 ±0  0 ±0 
54 600 runs  ±0  49 580 ✔️ ±0  5 020 💤 ±0  0 ±0 

Results for commit 51c43d6. ± Comparison against base commit 98e7a36.

♻️ This comment has been updated with latest results.

@nvoxland nvoxland self-requested a review as a code owner September 1, 2022 15:35
@nvoxland nvoxland added SafeToBuild Indicates that a particular PR contains changes which are safe to build using GitHub actions and removed SafeToBuild Indicates that a particular PR contains changes which are safe to build using GitHub actions labels Sep 1, 2022
nvoxland
nvoxland approved these changes Sep 4, 2022
View reviewed changes
Copy link
Contributor

@nvoxland nvoxland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review and test results:

Things to be aware of:

  • Only changes permissions in build logic
  • Failing pro-tests are unrelated to build logic changes here

Things to worry about:

  • Nothing

XDelphiGrl
XDelphiGrl approved these changes Sep 19, 2022
View reviewed changes
Copy link
Contributor

@XDelphiGrl XDelphiGrl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR tightens GitHub Action workflow security to prevent PRs triggering pull_request_target events from accessing GitHub write credentials.

  • Changes impact build logic, not production code.
  • No additional testing required.

This excerpt from a GitHub Security Lab post is a good summary of what is addressed in this PR:

"GitHub workflows can be triggered through a wide variety of repository events. This includes events related to incoming pull requests (PR). There exists a potentially dangerous misuse of the pull_request_target workflow trigger that may lead to malicious PR authors (i.e. attackers) being able to obtain repository write permissions or stealing repository secrets."

APPROVED

@nvoxland nvoxland merged commit e7be0d8 into liquibase:master Sep 19, 2022
@tabbyf00
Copy link

Thanks for your PR submission! We just finished reviewing and merging it into the 4.17.0 release on October 10, 2022. When you get a chance, could you please Star the Liquibase project? The star button is in the upper right corner of the screen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nvoxland nvoxland nvoxland approved these changes

@XDelphiGrl XDelphiGrl XDelphiGrl approved these changes

@suryaaki2 suryaaki2 suryaaki2 approved these changes

Assignees
No one assigned
Labels
autocandidate complexityLocal criticalityBuilder ignore-release-notes SafeToBuild Indicates that a particular PR contains changes which are safe to build using GitHub actions Severity3 sprint2022-34 TypeEnhancement
Projects
Liquibase Open Source
Archived in project
Conditioning++
To Do
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@neilnaveen @tabbyf00 @nvoxland @XDelphiGrl @suryaaki2 @kataggart