-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Workflows security hardening #14746
Conversation
hi @sashashura can you fix the conflicts ? |
Codecov ReportBase: 59.62% // Head: 59.62% // No change to project coverage 👍
Additional details and impacted files@@ Coverage Diff @@
## main #14746 +/- ##
=======================================
Coverage 59.62% 59.62%
=======================================
Files 1339 1339
Lines 32569 32569
Branches 6208 6208
=======================================
Hits 19418 19418
Misses 11291 11291
Partials 1860 1860
Flags with carried forward coverage won't be shown. Click here to find out more. Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@alexandrebodin done. |
@sashashura Thank you for this improvement 👍 |
What does it do?
This PR adds explicit permissions section to workflows.
Why is it needed?
This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_request
from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.
Related issue(s)/PR(s)
Let me know if this is mandatory