GitHub Workflows security hardening (#1071)

Summary: X-link: facebookincubator/velox#6969 This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted. It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case. Pull Request resolved: #1071 Reviewed By: xavierd Differential Revision: D50095358 Pulled By: genevievehelsel fbshipit-source-id: 4fc80c6b7c48df08207f68420b48a90ffcfddf27
facebook · Oct 11, 2023 · 5be84ab · 5be84ab
1 parent 1e79219
commit 5be84ab
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 0 deletions.
diff --git a/.github/workflows/getdeps_linux.yml b/.github/workflows/getdeps_linux.yml
@@ -10,6 +10,9 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/getdeps_mac.yml b/.github/workflows/getdeps_mac.yml
@@ -10,6 +10,9 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: macOS-latest

diff --git a/.github/workflows/getdeps_windows.yml b/.github/workflows/getdeps_windows.yml
@@ -10,6 +10,9 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: windows-2019

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,10 @@ name: release
   push:
     tags:
       - v*
+
+permissions:
+  contents: write  #  to create a release
+
 jobs:
   prepare:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yml.in b/.github/workflows/release.yml.in
@@ -5,6 +5,9 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: write  #  to create a release
+
 jobs:
   prepare:
     runs-on: ubuntu-latest

diff --git a/build/fbcode_builder/getdeps.py b/build/fbcode_builder/getdeps.py
@@ -988,6 +988,9 @@ def write_job_for_platform(self, platform, args):  # noqa: C901
 
 on:{run_on}
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
 """
             )
-Original file line number
+Diff line change
@@ Expand Up @@
     on:{run_on}
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
     jobs:
     """
                 )
@@ Expand Down @@