Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSF scorecard "Token-permissions" score zero #3012

Closed
fraxken opened this issue Mar 28, 2024 · 4 comments · Fixed by #3021
Closed

OpenSSF scorecard "Token-permissions" score zero #3012

fraxken opened this issue Mar 28, 2024 · 4 comments · Fixed by #3021
Labels
bug Something isn't working

Comments

@fraxken
Copy link
Member

fraxken commented Mar 28, 2024

Hello there 👋,

Today in the Node.js security meeting we discussed that the undici project score had dropped due to a change in the workflows. This seems to be related to the following commit.

image

Full report here

  1. nightly.yml and test.yml seems to lack global permissions
permissions:
  contents: read
  1. In nodejs.yml we have warnings to reviews the following permission.

undici/.github/workflows/nodejs.yml

Lines 102 to 105 in d3d24e2

permissions:
contents: write
pull-requests: write
actions: write

Github Action Merge Dependabot require pull-requests and contents (not sure if actions is required). These warnings are perhaps to be ignored.

@nodejs/security-wg
@fraxken fraxken added the bug Something isn't working label Mar 28, 2024
@fraxken fraxken changed the title OpenSSF scorecard permission OpenSSF scorecard "Token-permissions" score zero Mar 28, 2024
@fraxken fraxken mentioned this issue Mar 28, 2024
Merged
7 tasks
@metcoder95
Copy link
Member

#3013 closes this issue?

@fraxken
Copy link
Member Author

fraxken commented Mar 28, 2024

#3013 closes this issue?

Not yet. I'm working on nodejs workflow. If everything ok I will close myself (else I will open another PR).

@mweberxyz
Copy link
Contributor

mweberxyz commented Mar 28, 2024
edited
Loading

My bad on that change. The GHA documentation is a bit bare on permissions, by not setting the global permissions does it essentially issue a full read-write token to the workflow?

Edit: Nvm found it: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
These defaults are crazy permissive.

Also just to confirm: Are job-level permissions additive to workflow-level?

For example, in nightly at the workflow level we now have:

permissions:
  contents: read

then the report-failure job within that workflow:

  report-failure:
    permissions:
      issues: write

So there's no need to explicitly set contents: read in the report-failure?

@fraxken
Copy link
Member Author

fraxken commented Mar 29, 2024

My bad on that change. The GHA documentation is a bit bare on permissions, by not setting the global permissions does it essentially issue a full read-write token to the workflow?

I think it depend on the Github permission setting (but by default yes it has read-write almost everywhere).

Also just to confirm: Are job-level permissions additive to workflow-level?

Yes. The basic idea is to set read at the root and then assign the right permission by jobs.

You can read more here about how OpenSSF scorecard build the score (there is also some tips and links).

@mweberxyz mweberxyz mentioned this issue Mar 29, 2024
Merged
6 tasks
@fraxken fraxken mentioned this issue Mar 30, 2024
Merged
7 tasks
@mweberxyz mweberxyz mentioned this issue Apr 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(automerge): remove unnecessary actions:write permission FraxkenFork/undici
3 participants
@mweberxyz @fraxken @metcoder95