Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: workflows security hardening #1385

Merged
merged 3 commits into from
Sep 26, 2022
Merged

ci: workflows security hardening #1385

merged 3 commits into from
Sep 26, 2022

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden semantic-pull-request.yml permissions
8231dac 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden ci.yml permissions
d5f696e 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura sashashura requested a review from a team as a code owner September 23, 2022 21:03
@sashashura sashashura changed the title GitHub Workflows security hardening ci: workflows security hardening Sep 23, 2022
@xDivisionByZerox xDivisionByZerox added p: 1-normal Nothing urgent c: security Indicates a vulnerability c: infra Changes to our infrastructure or project setup labels Sep 23, 2022
@xDivisionByZerox xDivisionByZerox added this to the v7 - Current Major milestone Sep 23, 2022
@codecov
Copy link

codecov bot commented Sep 23, 2022
edited
Loading

Codecov Report

Merging #1385 (d5f696e) into main (9361578) will decrease coverage by 0.00%.
The diff coverage is n/a.

❗ Current head d5f696e differs from pull request most recent head 6e9f0d5. Consider uploading reports for the commit 6e9f0d5 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1385      +/-   ##
==========================================
- Coverage   99.63%   99.62%   -0.01%     
==========================================
  Files        2163     2163              
  Lines      241275   241275              
  Branches     1017     1013       -4     
==========================================
- Hits       240392   240368      -24     
- Misses        862      886      +24     
  Partials       21       21
Impacted Files Coverage Δ
src/modules/internet/user-agent.ts 81.74% <0.00%> (-6.35%) ⬇️

ST-DDT
ST-DDT approved these changes Sep 23, 2022
View reviewed changes
Copy link
Member

@ST-DDT ST-DDT left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR seems legit, I haven't seen that many repositories that have the permissions explicitly set yet though.
A quick search in the js ecosystem didn't result in any explicit permission configurations (vite/vitest/...).
However, I only found a single PR for java (spring) by the same author.

Here is the GH-TOKEN permission diff:

Before: https://github.com/faker-js/faker/actions/runs/3107588269/jobs/5035863133#step:1:19
After: https://github.com/faker-js/faker/actions/runs/3115625100/jobs/5052991942#step:1:17

@ST-DDT ST-DDT requested a review from a team September 23, 2022 22:33
@sashashura
Copy link
Contributor Author

This PR seems legit, I haven't seen that many repositories that have the permissions explicitly set yet though. A quick search in the js ecosystem didn't result in any explicit permission configurations (vite/vitest/...). However, I only found a single PR for java (spring) by the same author.

There are 19488 workflows already using explicit permissions. Though I don't know how many repositories it is.

@Shinigami92 Shinigami92 enabled auto-merge (squash) September 26, 2022 09:02
@Shinigami92 Shinigami92 merged commit 7438a8a into faker-js:main Sep 26, 2022
wael-fadlallah pushed a commit to wael-fadlallah/faker that referenced this pull request Oct 14, 2022
@sashashura @wael-fadlallah
ci: workflows security hardening (faker-js#1385)
e0a52aa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ST-DDT ST-DDT ST-DDT approved these changes

@ejcheng ejcheng ejcheng approved these changes

@xDivisionByZerox xDivisionByZerox xDivisionByZerox approved these changes

@Shinigami92 Shinigami92 Awaiting requested review from Shinigami92

Assignees

@sashashura sashashura

Labels
c: infra Changes to our infrastructure or project setup c: security Indicates a vulnerability p: 1-normal Nothing urgent
Projects
No open projects
Faker Roadmap
Status: Done
Milestone
v7 - Current Major
Development

Successfully merging this pull request may close these issues.
5 participants
@sashashura @ST-DDT @ejcheng @xDivisionByZerox @Shinigami92