Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci/permissions: Restrict permissions for remaining workflows #31603

Merged
merged 2 commits into from
Jan 3, 2024
Merged

ci/permissions: Restrict permissions for remaining workflows #31603

merged 2 commits into from
Jan 3, 2024

Conversation

phlax
Copy link
Member

@phlax phlax commented Jan 3, 2024

Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

@phlax
Copy link
Member Author

phlax commented Jan 3, 2024

cc @mmorel-35 - not sure if we need to add some back in jobs

@mmorel-35
Copy link
Contributor

What do you mean by "back in jobs" ?

@phlax
ci/permissions: Restrict permissions for remaining workflows
dac49b0 
Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax phlax force-pushed the scorecard-token-permissions branch from 5024ef9 to dac49b0 Compare January 3, 2024 08:30
@phlax
Copy link
Member Author

phlax commented Jan 3, 2024

What do you mean by "back in jobs" ?

provide job-level permissions

@mmorel-35
Copy link
Contributor

OK, Usually, I'm using https://app.stepsecurity.io/secureworkflow to help defining the right configuration :

image

Is this also what you did ?

@phlax
Copy link
Member Author

phlax commented Jan 3, 2024

Is this also what you did ?

no - i generally define them by hand (after checking the docs and the action)

in this case im responding to a scorecard alert that these wfs dont have global token restrictions

phlax
phlax commented Jan 3, 2024
View reviewed changes
.github/workflows/envoy-sync.yml
@@ -1,5 +1,8 @@
name: 'Sync downstream'

permissions:
contents: read
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one is good - it uses appauth

@phlax
Copy link
Member Author

phlax commented Jan 3, 2024

afaict - this is what is required for codeql

    permissions:
      contents: read
      security-events: write
      pull-requests: read

github/codeql-action#464

@phlax
Copy link
Member Author

phlax commented Jan 3, 2024

which i think is already covered - except perhaps read perms in a private repo - ill update

@phlax
read-creds
6015658 
Signed-off-by: Ryan Northey <ryan@synca.io>
wbpcode
wbpcode approved these changes Jan 3, 2024
View reviewed changes
Copy link
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@phlax phlax enabled auto-merge (squash) January 3, 2024 09:18
@phlax
Copy link
Member Author

phlax commented Jan 3, 2024

/retest

@phlax phlax merged commit f812033 into envoyproxy:main Jan 3, 2024
52 of 53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wbpcode wbpcode wbpcode approved these changes

Assignees

@wbpcode wbpcode

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@phlax @mmorel-35 @wbpcode