bjoernager/rust
bjoernager/rust
1
Fork 0
Code Activity

Auto merge of #101332 - sashashura:patch-1, r=pietroalbini

Browse source 
GitHub Workflows security hardening

This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted.
It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case.
This commit is contained in:
bors 2022-09-18 14:10:57 +00:00
commit a37499ae66
2 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/ci.yml vendored
View file

@ -25,11 +25,15 @@ name: CI
pull_request: pull_request:
branches: branches:
- "**" - "**"
permissions:
contents: read
defaults: defaults:
run: run:
shell: bash shell: bash
jobs: jobs:
pr: pr:
permissions:
actions: write
name: PR name: PR
env: env:
CI_JOB_NAME: "${{ matrix.name }}" CI_JOB_NAME: "${{ matrix.name }}"
@ -142,6 +146,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.ARTIFACTS_AWS_ACCESS_KEY_ID)] }}" AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.ARTIFACTS_AWS_ACCESS_KEY_ID)] }}"
if: "success() && !env.SKIP_JOB && (github.event_name == 'push' || env.DEPLOY == '1' || env.DEPLOY_ALT == '1')" if: "success() && !env.SKIP_JOB && (github.event_name == 'push' || env.DEPLOY == '1' || env.DEPLOY_ALT == '1')"
auto: auto:
permissions:
actions: write
name: auto name: auto
env: env:
CI_JOB_NAME: "${{ matrix.name }}" CI_JOB_NAME: "${{ matrix.name }}"
@ -547,6 +553,8 @@ jobs:
AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.ARTIFACTS_AWS_ACCESS_KEY_ID)] }}" AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.ARTIFACTS_AWS_ACCESS_KEY_ID)] }}"
if: "success() && !env.SKIP_JOB && (github.event_name == 'push' || env.DEPLOY == '1' || env.DEPLOY_ALT == '1')" if: "success() && !env.SKIP_JOB && (github.event_name == 'push' || env.DEPLOY == '1' || env.DEPLOY_ALT == '1')"
try: try:
permissions:
actions: write
name: try name: try
env: env:
CI_JOB_NAME: "${{ matrix.name }}" CI_JOB_NAME: "${{ matrix.name }}"

9
src/ci/github-actions/ci.yml
View file

@ -264,6 +264,9 @@ on:
branches: branches:
- "**" - "**"
permissions:
contents: read
defaults: defaults:
run: run:
# On Linux, macOS, and Windows, use the system-provided bash as the default # On Linux, macOS, and Windows, use the system-provided bash as the default
@ -273,6 +276,8 @@ defaults:
jobs: jobs:
pr: pr:
permissions:
actions: write # for rust-lang/simpleinfra/github-actions/cancel-outdated-builds
<<: *base-ci-job <<: *base-ci-job
name: PR name: PR
env: env:
@ -293,6 +298,8 @@ jobs:
<<: *job-linux-xl <<: *job-linux-xl
auto: auto:
permissions:
actions: write # for rust-lang/simpleinfra/github-actions/cancel-outdated-builds
<<: *base-ci-job <<: *base-ci-job
name: auto name: auto
env: env:
@ -719,6 +726,8 @@ jobs:
<<: *job-windows-xl <<: *job-windows-xl
try: try:
permissions:
actions: write # for rust-lang/simpleinfra/github-actions/cancel-outdated-builds
<<: *base-ci-job <<: *base-ci-job
name: try name: try
env: env: