From bdb66b1369db325af842a4b0ef66082461071bce Mon Sep 17 00:00:00 2001 From: per1234 Date: Fri, 23 Jun 2023 09:17:24 -0700 Subject: [PATCH] Configure permissions of `GITHUB_TOKEN` in workflows `GITHUB_TOKEN` is an access token provided automatically by GitHub Actions. The default permissions of this token for workflow runs in a trusted context (i.e., not triggered by a PR from a fork) are set in the enterprise/organization/ epository's administrative settings, giving it either read-only or write permissions in all scopes. In the case of a read-only default configuration, any workflow operations that require write permissions would fail with an error like: > 403: Resource not accessible by integration In the case of a write default configuration, workflows have unnecessary permissions, which violates the security principle of least privilege. For this reason, GitHub Actions now allows fine grained control of the permissions provided to the token, which are used here to configure the workflows for only the permissions they require in each job. The automatic permissions downgrade from write to read for workflows triggered by events generated by a PR from a fork is unaffected. Even when all permissions are withheld (`permissions: {}`), the token still provides the authenticated API request rate limiting allowance, which is a common use of the token in these workflows. Read permissions are required in the "contents" scope in order to checkout private repositories. Even though those permissions are not required for this public repository, the standardized "Sync Labels" workflow template is intended to be applicable in public and private repositories both and so a small excess in permissions was chosen in order to use the upstream template unmodified. --- .github/workflows/compile-examples.yml | 1 + .github/workflows/report-size-deltas.yml | 2 ++ .github/workflows/sync-labels.yml | 6 ++++++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/compile-examples.yml b/.github/workflows/compile-examples.yml index 51f2fe7c1..4ff26836a 100644 --- a/.github/workflows/compile-examples.yml +++ b/.github/workflows/compile-examples.yml @@ -23,6 +23,7 @@ on: jobs: compile-test: runs-on: ubuntu-latest + permissions: {} env: # sketch paths to compile (recursive) for all boards diff --git a/.github/workflows/report-size-deltas.yml b/.github/workflows/report-size-deltas.yml index 4a7c2ba20..bd38b2492 100644 --- a/.github/workflows/report-size-deltas.yml +++ b/.github/workflows/report-size-deltas.yml @@ -7,6 +7,8 @@ on: jobs: report: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Comment size deltas reports to PRs diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 3a330c127..69c9ed4b3 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -24,6 +24,8 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -55,6 +57,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -81,6 +84,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables