Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security good practice] GitHub Action workflow, secrets.GITHUB_TOKEN now restricted by default (was permissive) #31

Open
danielweck opened this issue Jan 31, 2024 · 2 comments
Open

[security good practice] GitHub Action workflow, secrets.GITHUB_TOKEN now restricted by default (was permissive) #31

danielweck opened this issue Jan 31, 2024 · 2 comments

Comments

@danielweck
Copy link
Member

danielweck commented Jan 31, 2024
edited
Loading

Please update your GitHub Action workflow YAML to include the permissions key and explicitly specify the read/write access rules your jobs actually require:

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
@danielweck
Copy link
Member Author

Relevant code:

ts-toolkit/.github/workflows/size.yml

Lines 8 to 12 in 659a3b2

steps:
- uses: actions/checkout@v1
- uses: andresz1/size-limit-action@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

@danielweck
Copy link
Member Author

In the Thorium project we need to create / delete / publish releases, and create / delete Git release tags. This is our GITHUB_TOKEN YAML configuration (as restrictive as possible):

https://github.com/edrlab/thorium-reader/blob/9d2bf56c181ec3da9634d30c12efdf067313efac/.github/workflows/main.yml#L9-L27

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danielweck