Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use minimal permissions for CI jobs #885

Merged
merged 1 commit into from
Apr 3, 2023
Merged

Use minimal permissions for CI jobs #885

merged 1 commit into from
Apr 3, 2023

Conversation

newpavlov
Copy link
Member

@newpavlov newpavlov commented Apr 2, 2023

For most jobs we only need to read the contents to run tests. But I am not sure which permissions should be used for the security audit job. I think it should be something like:

permissions:
  contents: read
  checks: write
  issues: write

For now I will leave the default permissions.

Relevant issues: actions-rs/audit-check#218, actions-rs/audit-check#220

@newpavlov newpavlov requested a review from tarcieri April 2, 2023 03:47
@tarcieri
Copy link
Member

tarcieri commented Apr 2, 2023

FWIW I went through the repos and set the permissions to read-only quite awhile ago:

https://github.com/RustCrypto/utils/settings/actions

Screenshot 2023-04-02 at 8 31 22 AM

This could be belt-and-suspenders, I guess, but using administrative actions rather than configurations seems like a bit more surefire approach.

@newpavlov
Copy link
Member Author

It looks like this setting is equivalent to the restricted column with some additional rights to manipulate pull requests. It will be hard to do something malicious with such rights, but either way using tighter permissions probably will not hurt.

@newpavlov newpavlov merged commit 13385f6 into master Apr 3, 2023
@newpavlov newpavlov deleted the ci_permissions branch April 3, 2023 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants