-
-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce the scope of the GITHUB_TOKEN by default #2139
Labels
🏦 debt
Tech debt
🥒 core team
Candidate for going onto the Cucumber Open Board: https://github.com/orgs/cucumber/projects/8
Comments
We can also limit the actions allowed in the organisation in a few different ways
We currently have these non-cucumber non-github provided actions, I can't tell which ones are verified publishers:
|
Projects that use the
|
mattwynne
added
🏦 debt
Tech debt
🥒 core team
Candidate for going onto the Cucumber Open Board: https://github.com/orgs/cucumber/projects/8
labels
Jan 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
🏦 debt
Tech debt
🥒 core team
Candidate for going onto the Cucumber Open Board: https://github.com/orgs/cucumber/projects/8
@sashashura has been submitting a number of PRs to the Cucumber org that reduce the access to the Github token for specific actions. This block-list approach is unfortunately scatter gun and doesn't scale well, it is also insecure by default.
By reducing the scope across the organization we only have to increase it for the
cucumber/action-create-github-release
. All other actions do (as far as I know) require elevated permissions.The text was updated successfully, but these errors were encountered: