[#38256] - ci: add GitHub token permissions for workflow
- Fixed in Code Base
- 12 Jul 2022
- Medium
- Build: 4.2-dev
- # 38256
- Diff
- varunsh-coder:token-perms
User tests: Successful: Unsuccessful:
Summary of Changes
This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.
GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows
- https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
- https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
- The Open Source Security Foundation (OpenSSF) Scorecards treats not setting token permissions as a high-risk issue
This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.
Signed-off-by: Varun Sharma varunsh@stepsecurity.io
Testing Instructions
N/A
Actual result BEFORE applying this Pull Request
GITHUB_TOKEN has all permissions
https://github.com/joomla/joomla-cms/runs/7143497554?check_suite_focus=true#step:1:16
Expected result AFTER applying this Pull Request
GITHUB_TOKEN will have minimum permissions needed
Documentation Changes Required
N/A
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Repository |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-07-12 08:32:37 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
|
||
LGTM. I'm not adding this to the release milestone as it just affects the .github directory. But feel free to overrule
Thanks will assign to 3.10 as its a action that only runs for this release.
Looks good to me @wilsonge can you please double check here?