Set permissions for GitHub actions(chore:)#15793
Set permissions for GitHub actions(chore:)#15793naveensrinivasan wants to merge 1 commit intoAlluxio:master-2.xfrom
Conversation
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
| Automated checks report:
Some checks failed. Please fix the reported issues and reply 'alluxio-bot, check this please' to re-run checks. |
| thanks for surfacing this potential security issue. i've also changed the workflow permissions on the organizational level such that the GITHUB_TOKEN only has read permissions |
👍 |
| @naveensrinivasan we need the CLA signed before we merge the code, do you mind sending me your email address to me(shouwei@alluxio.com) thus I can send you the CLA? |
Thanks, I will do it. |
I have emailed it. Thanks |
HelloHorizon changed the title | Automated checks report:
All checks passed! |
| This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
github-actions bot added the stale github-actions bot removed the stale | This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
github-actions bot added the stale github-actions bot removed the stale | This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
github-actions bot added the stale 4 participants
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Signed-off-by: naveen 172697+naveensrinivasan@users.noreply.github.com