Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #9440

Closed
wants to merge 15 commits into from
Closed

GitHub Workflows security hardening #9440

wants to merge 15 commits into from

Conversation

sashashura
Copy link
Contributor

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

TimWolla
TimWolla approved these changes Aug 27, 2022
View reviewed changes
Copy link
Member

@TimWolla TimWolla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely makes sense and LGTM other than that remark.

.github/workflows/nightly.yml Outdated Show resolved Hide resolved
.github/workflows/push.yml Outdated Show resolved Hide resolved
TimWolla
TimWolla approved these changes Aug 27, 2022
View reviewed changes
Copy link
Member

@TimWolla TimWolla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect, thanks. This likely should be merged by an organization owner, so that the default permissions for new workflows can also be restricted in the repository settings at: https://github.com/php/php-src/settings/actions (bottom most setting).

@sashashura @mvorisek
Update .github/workflows/close-needs-feedback.yml
d141c53 
Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz>
@cmb69
Copy link
Member

cmb69 commented Aug 30, 2022

Thank you!

@cmb69 cmb69 closed this in 1d45ca5 Aug 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mvorisek mvorisek mvorisek left review comments

@TimWolla TimWolla TimWolla approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sashashura @cmb69 @TimWolla @mvorisek