You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2022/06/03 20:16:09 UTC
[libcloud] branch trunk updated: chore: Set permissions for GitHub actions
This is an automated email from the ASF dual-hosted git repository.
tomaz pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/libcloud.git
The following commit(s) were added to refs/heads/trunk by this push:
new 7884fa4e7 chore: Set permissions for GitHub actions
new 236669e06 Merge pull request #1702 from turrisxyz/Pinned-Dependencies-GitHub
7884fa4e7 is described below
commit 7884fa4e7425937a3741322b2e0bc2ba22d1855a
Author: naveen <17...@users.noreply.github.com>
AuthorDate: Fri Jun 3 00:30:53 2022 +0000
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: naveen <17...@users.noreply.github.com>
---
.github/workflows/codeql-analysis.yml | 4 ++++
.github/workflows/install_test.yml | 3 +++
.github/workflows/publish_dev_artifact.yml | 3 +++
.github/workflows/publish_pricing_to_s3.yml | 3 +++
4 files changed, 13 insertions(+)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 16cd80654..d13a26140 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -31,6 +31,10 @@ jobs:
github_token: ${{ github.token }}
analyze:
+ permissions:
+ actions: read # for github/codeql-action/init to get workflow details
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/autobuild to send a status report
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: 12
diff --git a/.github/workflows/install_test.yml b/.github/workflows/install_test.yml
index 2d58c290c..477847be0 100644
--- a/.github/workflows/install_test.yml
+++ b/.github/workflows/install_test.yml
@@ -7,6 +7,9 @@ on:
- cron: '0 13 * * *'
- cron: '0 2 * * *'
+permissions:
+ contents: read
+
jobs:
install_and_verify:
name: Install latest stable version
diff --git a/.github/workflows/publish_dev_artifact.yml b/.github/workflows/publish_dev_artifact.yml
index 8acbcacd4..f44443571 100644
--- a/.github/workflows/publish_dev_artifact.yml
+++ b/.github/workflows/publish_dev_artifact.yml
@@ -13,6 +13,9 @@ on:
types:
- completed
+permissions:
+ contents: read
+
jobs:
generate_and_publish_dev_release_artifacts:
name: Generate and Publish Dev Release Artifacts
diff --git a/.github/workflows/publish_pricing_to_s3.yml b/.github/workflows/publish_pricing_to_s3.yml
index 48ba4c21c..e54a47095 100644
--- a/.github/workflows/publish_pricing_to_s3.yml
+++ b/.github/workflows/publish_pricing_to_s3.yml
@@ -6,6 +6,9 @@ on:
- cron: '0 13 * * *'
- cron: '0 2 * * *'
+permissions:
+ contents: read
+
jobs:
generate_and_publish_pricing_data:
name: Generate and Publish Pricing file to S3