Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Workflows security hardening #96492

Merged
merged 2 commits into from
Oct 8, 2022
Merged

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

Signed-off-by: sashashura <93376818+sashashura@users.noreply.github.com>
@cpython-cla-bot
Copy link

cpython-cla-bot bot commented Sep 1, 2022

All commit authors signed the Contributor License Agreement.
CLA signed

@bedevere-bot
Copy link

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@sashashura
Copy link
Contributor Author

sashashura commented Sep 1, 2022

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

I believe it is a building infrastructure change only and doesn't require NEWS entry.
Also it is a trivial change, so issue number is not needed.

@matthiasgoergens
Copy link
Contributor

Would this ever cause any problem to non-malicious users?

@sashashura
Copy link
Contributor Author

Would this ever cause any problem to non-malicious users?

In this case it is more about potential supply chain - what damage can be done by running build tool or action if it is ever compromised. Like not running with sudo unnecessarily.

@sashashura
Copy link
Contributor Author

Please let me know if you have any questions.

repository-projects: write is not needed because a separate secrets.ADD_TO_PROJECT_PAT is used
@sashashura
Copy link
Contributor Author

Just for the reference these are the current permissions:

image

@matthiasgoergens
Copy link
Contributor

For what it's worth, I think this is very worthwhile. +1 from me!

Alas, I have no authority to approve anything. Not sure how you can get the attention from someone who does?

@ezio-melotti
Copy link
Member

I tested this in https://github.com/python/cpython/actions/runs/3209712807 after merging and verified that it still works. Thanks for the PR!

carljm added a commit to carljm/cpython that referenced this pull request Oct 8, 2022
* main:
  pythongh-68686: Retire eptag ptag scripts (python#98064)
  pythongh-97922: Run the GC only on eval breaker (python#97920)
  GitHub Workflows security hardening (python#96492)
  Add `@ezio-melotti` as codeowner for `.github/`. (python#98079)
  pythongh-97913 Docs: Add walrus operator to the index (python#97921)
  [doc] Fix broken links to C extensions accelerating stdlib modules (python#96914)
  pythongh-97822: Fix http.server documentation reference to test() function (python#98027)
  pythongh-91052: Add PyDict_Unwatch for unwatching a dictionary (python#98055)
  pythonGH-98023: Change default child watcher to PidfdChildWatcher on supported systems (python#98024)
  pythonGH-94182: Run the PidfdChildWatcher on the running loop (python#94184)
carljm added a commit to carljm/cpython that referenced this pull request Oct 9, 2022
* main: (5519 commits)
  Minor edits to the Descriptor HowTo Guide (pythonGH-24901)
  Fix link to Lifecycle of a Pull Request in CONTRIBUTING (python#98102)
  pythonGH-94597: deprecate `SafeChildWatcher`, `FastChildWatcher` and `MultiLoopChildWatcher` child watchers  (python#98089)
  Auto-cancel old builds when new commit pushed to branch (python#98009)
  pythongh-95011: Migrate syslog module to Argument Clinic (pythonGH-95012)
  pythongh-68686: Retire eptag ptag scripts (python#98064)
  pythongh-97922: Run the GC only on eval breaker (python#97920)
  GitHub Workflows security hardening (python#96492)
  Add `@ezio-melotti` as codeowner for `.github/`. (python#98079)
  pythongh-97913 Docs: Add walrus operator to the index (python#97921)
  [doc] Fix broken links to C extensions accelerating stdlib modules (python#96914)
  pythongh-97822: Fix http.server documentation reference to test() function (python#98027)
  pythongh-91052: Add PyDict_Unwatch for unwatching a dictionary (python#98055)
  pythonGH-98023: Change default child watcher to PidfdChildWatcher on supported systems (python#98024)
  pythonGH-94182: Run the PidfdChildWatcher on the running loop (python#94184)
  pythongh-92886: make test_ast pass with -O (assertions off) (pythonGH-98058)
  pythongh-92886: make test_coroutines pass with -O (assertions off) (pythonGH-98060)
  pythongh-57179: Add note on symlinks for os.walk (python#94799)
  pythongh-94808: Fix regex on exotic platforms (python#98036)
  pythongh-90085: Remove vestigial -t and -c timeit options (python#94941)
  ...
mpage pushed a commit to mpage/cpython that referenced this pull request Oct 11, 2022
* Update project-updater.yml

Signed-off-by: sashashura <93376818+sashashura@users.noreply.github.com>

* Update project-updater.yml

repository-projects: write is not needed because a separate secrets.ADD_TO_PROJECT_PAT is used

Signed-off-by: sashashura <93376818+sashashura@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Archived in project
Development

Successfully merging this pull request may close these issues.

5 participants