Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #2740

Merged
merged 4 commits into from
Oct 27, 2023
Merged

GitHub Workflows security hardening #2740

merged 4 commits into from
Oct 27, 2023

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden tests.yml permissions
9ef4be8 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden release-please.yml permissions
40d0027 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden visual-studio.yml permissions
605ade2 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@rvagg
Copy link
Member

rvagg commented Sep 27, 2022

sgtm, someone else with more extensive Actions experience want to weigh in? I haven't played with permissions myself yet.

anonrig
anonrig reviewed Sep 29, 2022
View reviewed changes
Copy link
Member

@anonrig anonrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. I added one small comment. Other than that it looks good to me. For folks looking for the Github Workflow documentation, here's the link.

.github/workflows/release-please.yml Outdated
@@ -5,8 +5,13 @@ on:
branches:
- main

permissions: {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems this line is unnecessary, since there is only one job in this workflow.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is optionional. I have removed it now.

@sashashura
Copy link
Contributor Author

Is it ready to be merged?

@lukekarrys lukekarrys self-assigned this Oct 27, 2023
@lukekarrys lukekarrys merged commit 26683e9 into nodejs:main Oct 27, 2023
lukekarrys pushed a commit that referenced this pull request Dec 2, 2024
@sashashura @lukekarrys
chore: GitHub Workflows security hardening (#2740)
c89599f 
* build: harden tests.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden release-please.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden visual-studio.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* Update release-please.yml

---------

Signed-off-by: Alex <aleksandrosansan@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anonrig anonrig anonrig left review comments

Assignees

@lukekarrys lukekarrys

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sashashura @rvagg @anonrig @lukekarrys