Skip to content

ci: add GitHub token permissions for workflow #89490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 31, 2022
Merged

ci: add GitHub token permissions for workflow #89490

merged 1 commit into from
Aug 31, 2022

Conversation

varunsh-coder
Copy link
Contributor

This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Before the change:
GITHUB_TOKEN has write permissions for multiple scopes, e.g.
https://github.com/elastic/elasticsearch/runs/7940988530?check_suite_focus=true#step:1:19

After the change:
GITHUB_TOKEN will have minimum permissions needed for the jobs.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

@varunsh-coder
ci: add GitHub token permissions for workflow
4ac83b7 
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
@elasticsearchmachine elasticsearchmachine added v8.5.0 needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team labels Aug 21, 2022
@varunsh-coder varunsh-coder mentioned this pull request Aug 21, 2022
Open
@DJRickyB DJRickyB added :Delivery/Build Build or test infrastructure and removed needs:triage Requires assignment of a team area label labels Aug 31, 2022
@elasticsearchmachine elasticsearchmachine added the Team:Delivery Meta label for Delivery team label Aug 31, 2022
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@mark-vieira mark-vieira self-assigned this Aug 31, 2022
@mark-vieira mark-vieira merged commit c2b34a9 into elastic:main Aug 31, 2022
@mark-vieira
Copy link
Contributor

Thanks for the contribution @varunsh-coder.

@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mark-vieira mark-vieira

Labels
:Delivery/Build Build or test infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue Team:Delivery Meta label for Delivery team v8.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@varunsh-coder @elasticsearchmachine @mark-vieira @DJRickyB