🚨 Upcoming "Brownout" Tests for GITHUB_TOKEN Permission Changes

[felddy]

Hello cisagov Team,

As we move closer to changing the default GITHUB_TOKEN permissions for the cisagov organization from permissive to restrictive mode, we will be conducting two "brownout" periods this week to assess the impact. During these brownout periods, we will temporarily toggle the setting to the restrictive mode to see what breaks and identify areas requiring adjustment.

The brownout periods are scheduled as follows:

• Wednesday, November 13th, 1:00 PM - 3:00 PM EST
• Thursday, November 14th, 9:00 AM - 5:00 PM EST

During these times, workflows that require elevated permissions beyond the restrictive defaults may fail. This is an opportunity for us to identify issues and take necessary remediation steps ahead of making the permanent change.

Final Switch Date

We plan to make the final switch to restrictive permissions on Monday, November 18th. Please ensure that all workflows are updated and tested before this date.

What You Need to Do

• Be Aware of Potential Workflow Failures: If you have workflows scheduled during these times, please monitor them for any failures.
• Review & Update Permissions: If any failures occur, check whether your workflows need additional permissions explicitly defined. You can find our original announcement with details here: https://github.com/orgs/cisagov/discussions/31.

We also provided references to a GitHub tool that helps identify required permission changes based on your workflows, along with examples of how to update permissions in your workflow YAML files.

The purpose of these brownout periods is to provide insight into potential impacts without making a permanent change yet. This proactive approach will allow us to minimize disruption when the final switch is made.

Please let us know if you have any questions or encounter any issues during the brownout periods. Your feedback will be essential to make this transition smooth for all our repositories.

Thanks for your cooperation as we make our GitHub organization more secure!

Mentions: @cisagov/gov @cisagov/cdi-adg @cisagov/cisa-ea @cisagov/csso @cisagov/cyber-dhs-gov @cisagov/decider @cisagov/esi-interns @cisagov/handbook-team @cisagov/icsnpp-admins @cisagov/industrial-control-systems-section @cisagov/ivaal @cisagov/jcdc @cisagov/lme @cisagov/nrmc @cisagov/nrmc-hssedi @cisagov/nrmc-is4s @cisagov/nsd @cisagov/pnnl @cisagov/scuba @cisagov/steps @cisagov/team-cdet @cisagov/team-cpg @cisagov/team-inl @cisagov/team-sei @cisagov/team-th @cisagov/team-vm @cisagov/vince

[felddy]

Hello cisagov Team,

The first brownout test for changing the GITHUB_TOKEN permissions to restrictive mode was executed successfully, and we did not observe any signs of workflow failures. Thank you to everyone who monitored their workflows during this period.

We are about to begin the second brownout period, scheduled for Thursday, November 14th, from 9:00 AM to 5:00 PM EST. During this time, workflows relying on elevated permissions may fail, so please continue monitoring and making any necessary updates.

As a reminder, we will make the final switch to restrictive permissions on Monday, November 18th. Please ensure that any required changes are made before then.

Thank you for your attention and cooperation!

[felddy]

Hello again cisagov Team,

We have successfully concluded the second brownout period for changing the GITHUB_TOKEN permissions to restrictive mode. We did not observe any major impacts during this test, which is a fantastic outcome.

We also saw a few pull requests where maintainers were proactively fixing permissions, which is awesome—thank you for paying close attention and taking action!

We will proceed with making the permanent switch to restrictive permissions on Monday, November 18th. If you haven't already, please make any necessary updates to your workflows before then.

Thank you again for your continued cooperation as we enhance our GitHub organization's security!