[GitHub] [nifi] sashashura opened a new pull request, #6450: GitHub Workflows security hardening

[GitBox <gi...@apache.org>]

sashashura opened a new pull request, #6450:
URL: https://github.com/apache/nifi/pull/6450

   This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted.
   It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory closed pull request #6450: GitHub Workflows security hardening

[GitBox <gi...@apache.org>]

exceptionfactory closed pull request #6450: GitHub Workflows security hardening
URL: https://github.com/apache/nifi/pull/6450


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6450: GitHub Workflows security hardening

[GitBox <gi...@apache.org>]

exceptionfactory commented on PR #6450:
URL: https://github.com/apache/nifi/pull/6450#issuecomment-1265605582

   Thanks again for the contribution @sashashura! I am closing this PR in favor of #6469 with associated Jira issue NIFI-10575, but I listed you as a co-author in the commit message.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6450: GitHub Workflows security hardening

[GitBox <gi...@apache.org>]

exceptionfactory commented on PR #6450:
URL: https://github.com/apache/nifi/pull/6450#issuecomment-1262544548

   Thanks for the contribution @sashashura, this looks like a helpful improvement to the workflow configurations.
   
   As noted in the Pull Request Template, all changes need to have an associated Apache NiFi Jira issue for tracking. The Apache NiFi Jira project is available at the following location:
   
   https://issues.apache.org/jira/projects/NIFI
   
   If you can create an issue and update this pull request with the reference issue number, that would be helpful.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org