Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #7136

Merged
merged 1 commit into from
Oct 31, 2022
Merged

GitHub Workflows security hardening #7136

merged 1 commit into from
Oct 31, 2022

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden pip.yml permissions
9d4580d 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@steven-johnson
Copy link
Contributor

Thanks for the fix!

@steven-johnson steven-johnson merged commit 0c03ff8 into halide:main Oct 31, 2022
steven-johnson pushed a commit that referenced this pull request Oct 31, 2022
@sashashura @steven-johnson
GitHub Workflows security hardening (#7136)
6ef3034 
build: harden pip.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
@steven-johnson steven-johnson mentioned this pull request Oct 31, 2022
Merged
steven-johnson added a commit that referenced this pull request Nov 1, 2022
@steven-johnson
Backport some PRs to release/15.x (#7138)
59cccf4 
* Rewrite python_bindings/apps (#7133)
* Apply 'Black' formatter to py/test/correctness and py/test/generators (#7135)
* halide.imageio needs to support arbitrary bufferviews (#7137)
* GitHub Workflows security hardening (#7136)
* Give pip.yml permission to read packages (#7139)
ardier pushed a commit to ardier/Halide-mutation that referenced this pull request Mar 3, 2024
@sashashura @ardier
GitHub Workflows security hardening (halide#7136)
02f82a2 
build: harden pip.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steven-johnson steven-johnson steven-johnson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sashashura @steven-johnson