Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #14746

Merged
merged 4 commits into from
Nov 23, 2022
Merged

GitHub Workflows security hardening #14746

merged 4 commits into from
Nov 23, 2022

Conversation

sashashura
Copy link
Contributor

What does it do?

This PR adds explicit permissions section to workflows.

Why is it needed?

This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

Related issue(s)/PR(s)

Let me know if this is mandatory

@strapi-cla
Copy link

strapi-cla commented Oct 31, 2022
edited

CLA assistant check
All committers have signed the CLA.

@jhoward1994 jhoward1994 added source: cli Source is cli package pr: enhancement This PR adds or updates some part of the codebase or features labels Oct 31, 2022
@alexandrebodin
Copy link
Member

hi @sashashura can you fix the conflicts ?

@codecov
Copy link

codecov bot commented Nov 17, 2022
edited

Codecov Report

Base: 59.62% // Head: 59.62% // No change to project coverage 👍

Coverage data is based on head (e80ac50) compared to base (e033275).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #14746   +/-   ##
=======================================
  Coverage   59.62%   59.62%           
=======================================
  Files        1339     1339           
  Lines       32569    32569           
  Branches     6208     6208           
=======================================
  Hits        19418    19418           
  Misses      11291    11291           
  Partials     1860     1860
Flag Coverage Δ
back 49.78% <ø> (ø)
front 64.09% <ø> (ø)
unit_back 49.78% <ø> (ø)
unit_front 64.09% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@sashashura
build: harden addToProject.yml permissions
780c3fe 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden pages.yml permissions
754e36f 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden nightly.yml permissions
3dcacb5 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden tests.yml permissions
e80ac50 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
Copy link
Contributor Author

@alexandrebodin done.

@alexandrebodin alexandrebodin added source: tooling Source is GitHub tooling/tests/ect pr: chore This PR contains chore tasks (cleanups, configs, tooling...) and removed source: cli Source is cli package pr: enhancement This PR adds or updates some part of the codebase or features labels Nov 23, 2022
@alexandrebodin alexandrebodin added this to the 4.5.3 milestone Nov 23, 2022
@alexandrebodin alexandrebodin merged commit c5839f5 into strapi:main Nov 23, 2022
@alexandrebodin
Copy link
Member

@sashashura Thank you for this improvement 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexandrebodin alexandrebodin alexandrebodin approved these changes

Assignees

@alexandrebodin alexandrebodin

Labels
pr: chore This PR contains chore tasks (cleanups, configs, tooling...) source: tooling Source is GitHub tooling/tests/ect
Projects
None yet
Milestone
4.5.3
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sashashura @strapi-cla @alexandrebodin @jhoward1994