You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@nuttx.apache.org by GitBox <gi...@apache.org> on 2022/08/29 10:02:14 UTC

[GitHub] [incubator-nuttx] sashashura opened a new pull request, #6950: GitHub Workflows security hardening

sashashura opened a new pull request, #6950:
URL: https://github.com/apache/incubator-nuttx/pull/6950

   This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted.
   It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx] sashashura commented on pull request #6950: GitHub Workflows security hardening

Posted by GitBox <gi...@apache.org>.

sashashura commented on PR #6950:
URL: https://github.com/apache/incubator-nuttx/pull/6950#issuecomment-1230093669

   > @sashashura should we make the similar change to https://github.com/apache/incubator-nuttx-apps?
   
   Sure, just created https://github.com/apache/incubator-nuttx-apps/pull/1302
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx] xiaoxiang781216 commented on pull request #6950: GitHub Workflows security hardening

Posted by GitBox <gi...@apache.org>.

xiaoxiang781216 commented on PR #6950:
URL: https://github.com/apache/incubator-nuttx/pull/6950#issuecomment-1230078024

   @sashashura should we make the similar change to https://github.com/apache/incubator-nuttx-apps?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx] xiaoxiang781216 merged pull request #6950: GitHub Workflows security hardening

Posted by GitBox <gi...@apache.org>.

xiaoxiang781216 merged PR #6950:
URL: https://github.com/apache/incubator-nuttx/pull/6950


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org