ci: add GitHub token permissions #92999
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
|
Thank you @varunsh-coder |
|
@ewdurbin, any reason not to backport this PR to 3.11/3.10? |
|
@ezio-melotti not that I'm aware of unless the workflows do not exist. |
ezio-melotti
added
needs backport to 3.10
|
Thanks @varunsh-coder for the PR, and @ewdurbin for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11. |
|
Thanks @varunsh-coder for the PR, and @ewdurbin for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10. |
(cherry picked from commit b96e20c) Co-authored-by: Varun Sharma <varunsh@stepsecurity.io>
|
Sorry, @varunsh-coder and @ewdurbin, I could not cleanly backport this to |
|
GH-98160 is a backport of this pull request to the 3.11 branch. |
|
GH-98161 is a backport of this pull request to the 3.10 branch. |
(cherry picked from commit b96e20c) Co-authored-by: Varun Sharma <varunsh@stepsecurity.io>
GitHub asks developers to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue.
This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.
This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.