Set github workflow permissions to be minimally scoped
joycebrum opened this issue · 3 comments
I'm from Google working with the OpenSSF to improve supply-chain security in many open source projects.
I would like to suggest to volatile project to set minimal scoped permissions to its github workflows (in this case the build.yml file). This means setting the permissions as read only on the top level and any write permission be given at the run level.
This is necessary due to a behavior of github workflow to grant to GITHUB_TOKEN write permissions to all types of permissions, regardless of they being used or not. In case of the workflow getting compromised, an attacker can exploit this permissions.
This can be seen in the Action run step "Set up job" such as https://github.com/rust-osdev/volatile/actions/runs/3974296184.
Considering the changes are quite simple, I'll also suggest the PR together with this issue.
Thanks!
That is a weird default indeed.
Can we modify the default permissions for the whole rust-osdev organization instead? https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization seems to suggest that it's possible.
Yes it is possible to change it to default indeed, and this is good because any new workflow added in the future, that does not declare its dependency due to human error, will only be granted read-all permissions.
Besides that, it is a good practice to also declare the permissions on the yml file to be minimally scoped too, because this will ensure this workflow won't depend on any configuration to be secure besides bringing transparency to the users that the workflows are running with the principle of least privileges.
Thanks a lot! I just merged your PR.
I agree that changing the default at the organization level is a good idea too. However, we would probably need to update some of our repos for that. So we should look through all of our build jobs before to avoid breaking something.