◐ Shell
reader mode source ↗
Skip to content

ci: add GitHub token permissions#92999

Merged
ewdurbin merged 1 commit into
python:mainfrom
varunsh-coder:token-perms
May 21, 2022
Merged

ci: add GitHub token permissions#92999
ewdurbin merged 1 commit into
python:mainfrom
varunsh-coder:token-perms

Conversation

@varunsh-coder

@varunsh-coder varunsh-coder commented May 20, 2022

Copy link
Copy Markdown
Contributor

GitHub asks developers to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue.

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

@ghost

ghost commented May 20, 2022
edited by ghost
Loading

Copy link
Copy Markdown

All commit authors signed the Contributor License Agreement.
CLA signed

@bedevere-bot

bedevere-bot commented May 20, 2022

Copy link
Copy Markdown

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@varunsh-coder varunsh-coder mentioned this pull request May 20, 2022
Open
@erlend-aasland erlend-aasland requested review from ewdurbin and zware May 20, 2022 07:28
@ewdurbin ewdurbin mentioned this pull request May 21, 2022
Merged
@ewdurbin ewdurbin merged commit b96e20c into python:main May 21, 2022
@ewdurbin

ewdurbin commented May 21, 2022

Copy link
Copy Markdown
Member

Thank you @varunsh-coder

@varunsh-coder varunsh-coder mentioned this pull request Jul 28, 2022
Open
32 tasks
@ezio-melotti

ezio-melotti commented Oct 8, 2022

Copy link
Copy Markdown
Member

@ewdurbin, any reason not to backport this PR to 3.11/3.10?

@ezio-melotti ezio-melotti mentioned this pull request Oct 9, 2022
Merged
@ewdurbin

ewdurbin commented Oct 10, 2022

Copy link
Copy Markdown
Member

@ezio-melotti not that I'm aware of unless the workflows do not exist.

@ezio-melotti ezio-melotti added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Oct 10, 2022
@miss-islington

miss-islington commented Oct 10, 2022

Copy link
Copy Markdown
Contributor

Thanks @varunsh-coder for the PR, and @ewdurbin for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

@miss-islington

miss-islington commented Oct 10, 2022

Copy link
Copy Markdown
Contributor

Thanks @varunsh-coder for the PR, and @ewdurbin for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

@bedevere-bot bedevere-bot removed the needs backport to 3.11 only security fixes label Oct 10, 2022
@miss-islington

miss-islington commented Oct 10, 2022

Copy link
Copy Markdown
Contributor

Sorry, @varunsh-coder and @ewdurbin, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker b96e20c1d9be4e6d5ea3e48c9c97e5ecd02f6055 3.10

@bedevere-bot

bedevere-bot commented Oct 10, 2022

Copy link
Copy Markdown

GH-98160 is a backport of this pull request to the 3.11 branch.

@bedevere-bot

bedevere-bot commented Oct 10, 2022

Copy link
Copy Markdown

GH-98161 is a backport of this pull request to the 3.10 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Oct 10, 2022
@ezio-melotti ezio-melotti mentioned this pull request Oct 10, 2022
Closed
miss-islington added a commit that referenced this pull request Oct 10, 2022
@miss-islington @varunsh-coder
ci: add GitHub token permissions (GH-92999)
1269297 
(cherry picked from commit b96e20c)

Co-authored-by: Varun Sharma <varunsh@stepsecurity.io>
ezio-melotti added a commit that referenced this pull request Oct 10, 2022
@ezio-melotti @varunsh-coder
[3.10] ci: add GitHub token permissions (GH-92999) (#98161)
64ce2cb 
* ci: add GitHub token permissions (#92999)

(cherry picked from commit b96e20c)

* [3.10] ci: add GitHub token permissions (GH-92999).
(cherry picked from commit b96e20c)

Co-authored-by: Varun Sharma <varunsh@stepsecurity.io>

Co-authored-by: Varun Sharma <varunsh@stepsecurity.io>
@pnacht pnacht mentioned this pull request Nov 21, 2022
Closed
@ashishkurmi ashishkurmi mentioned this pull request Dec 21, 2022
Open
87 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewdurbin ewdurbin ewdurbin approved these changes

@zware zware Awaiting requested review from zware

Assignees

@ewdurbin ewdurbin

Labels

skip issue skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@varunsh-coder @bedevere-bot @ewdurbin @ezio-melotti @miss-islington @erlend-aasland