-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Workflows security hardening #4587
Conversation
Gradle Check (Jenkins) Run Completed with:
|
Codecov Report
@@ Coverage Diff @@
## main #4587 +/- ##
=========================================
Coverage 70.98% 70.98%
+ Complexity 58185 58169 -16
=========================================
Files 4711 4711
Lines 277573 277573
Branches 40180 40180
=========================================
+ Hits 197031 197040 +9
- Misses 64386 64392 +6
+ Partials 16156 16141 -15
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
.github/workflows/version.yml
Outdated
jobs: | ||
build: | ||
permissions: | ||
contents: write # to create branch (peter-evans/create-pull-request) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might not need the permissions since the token used here is from the Github App Token from an app and not the default Github token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for missing that. You are right. Fixed.
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Please amend commits to fix DCO with |
CHANGELOG.md
Outdated
@@ -6,6 +6,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) | |||
|
|||
### Added | |||
|
|||
- GitHub Workflows token permission hardening ([#4587](https://github.com/opensearch-project/OpenSearch/pull/4587)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: maybe we can turn all these changelog lines into something that was actioned, e.g. Hardened token permissions in GitHub workflow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
34a40e0
to
d89482d
Compare
Signed-off-by: sashashura <aleksandrosansan@gmail.com>
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
I don't think the gradle check failure is related to the changes, but let me know. |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
@reta Could you please review it? |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-4587-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d266a732aea4cf87781acf93e92c56ad3f1d0913
# Push it to GitHub
git push --set-upstream origin backport/backport-4587-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.x Then, create a pull request where the |
Signed-off-by: sashashura <aleksandrosansan@gmail.com> Signed-off-by: sashashura <aleksandrosansan@gmail.com> (cherry picked from commit d266a73)
Manual backport #6097 |
Signed-off-by: sashashura <aleksandrosansan@gmail.com> Signed-off-by: sashashura <aleksandrosansan@gmail.com> (cherry picked from commit d266a73) Signed-off-by: Marc Handalian <handalm@amazon.com>
Signed-off-by: sashashura <aleksandrosansan@gmail.com> Signed-off-by: sashashura <aleksandrosansan@gmail.com> (cherry picked from commit d266a73) Signed-off-by: Marc Handalian <handalm@amazon.com>
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_request
from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.