You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/10/03 15:07:00 UTC
[jira] [Resolved] (NIFI-10575) Set GitHub Action Workflow token to the least privileged level
[ https://issues.apache.org/jira/browse/NIFI-10575?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann resolved NIFI-10575.
-------------------------------------
Fix Version/s: 1.19.0
Assignee: Ashish Kurmi
Resolution: Fixed
> Set GitHub Action Workflow token to the least privileged level
> --------------------------------------------------------------
>
> Key: NIFI-10575
> URL: https://issues.apache.org/jira/browse/NIFI-10575
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: Ashish Kurmi
> Assignee: Ashish Kurmi
> Priority: Major
> Fix For: 1.19.0
>
>
> Currently, the GitHub token associated with apache/nifi workflows are elevated. Here is an example of elevated GitHub token:
> [https://github.com/apache/nifi/actions/runs/3167551611/jobs/5158128990#step:1:19]
> The token permissions should be adjusted to include only the required permissions.
> h3. Motivation and Context
> * This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
> * [GitHub recommends|https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token] defining minimum GITHUB_TOKEN permissions.
> * The Open Source Security Foundation (OpenSSF) [Scorecards|https://github.com/ossf/scorecard] also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository
--
This message was sent by Atlassian Jira
(v8.20.10#820010)