Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Workflows security hardening #1162

Merged
merged 1 commit into from
Dec 12, 2022
Merged

GitHub Workflows security hardening #1162

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ on:
- 'alpha'
- '!all-contributors/**'
pull_request: {}
permissions:
actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you include a summary of the permissions before and after for each change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before the change for all jobs (as seen here https://github.com/testing-library/react-testing-library/actions/runs/3633193928/jobs/6129924592):

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

After the change
For the release job (not mention permissions are none):

GITHUB_TOKEN Permissions
  Actions: write
  Contents: write
  Metadata: read

For all others:

GITHUB_TOKEN Permissions
  Actions: write
  Contents: read
  Metadata: read

contents: read # to fetch code (actions/checkout)

jobs:
main:
continue-on-error: ${{ matrix.react != 'latest' }}
Expand Down Expand Up @@ -58,6 +62,10 @@ jobs:
flags: ${{ matrix.react }}

release:
permissions:
actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action)
contents: write # to create release tags (cycjimmy/semantic-release-action)

needs: main
runs-on: ubuntu-latest
if:
Expand Down