Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Declare permissions #15493

Merged
merged 2 commits into from
Feb 15, 2024
Merged

Declare permissions #15493

merged 2 commits into from
Feb 15, 2024

Conversation

jsoref
Copy link
Contributor

@jsoref jsoref commented Jan 31, 2024

Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably.

closes #15462

@jsoref
Copy link
Contributor Author

jsoref commented Jan 31, 2024

To make the Check change note workflow happy, please add label:no-change-note-required

angelapwen
angelapwen previously approved these changes Jan 31, 2024
Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at your fork of the repo, which has identical permissions and works 👍 thank you for the contribution!

csharp/actions/create-extractor-pack/action.yml Outdated Show resolved Hide resolved
@angelapwen angelapwen added the no-change-note-required This PR does not need a change note label Jan 31, 2024
@jsoref jsoref force-pushed the declare-permissions branch from b997f22 to c5a047d Compare January 31, 2024 14:09
@github-actions github-actions bot removed the C# label Jan 31, 2024
Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking merge until the other comments are addressed 😄

@jsoref jsoref force-pushed the declare-permissions branch from 9da590e to 301cfcc Compare February 1, 2024 15:39
@jsoref jsoref requested a review from angelapwen February 4, 2024 16:21
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing this. I like that this narrows the permissions of all of our tokens.

I think .github/workflows/csv-coverage-update.yml is broken. I have a few other suggestions that will allow you to narrow the permissions. security-events is only required if we are reading or writing SARIF to or from code scanning.

I do have a concern that these jobs haven't been run. Are you able to trigger them in your fork to make sure all permissions are correct?

What we do in other repos and can do here (but best to wait for a followup PR) is to add a chunk that ensures the workflow file is run whenever the workflow file itself is modified.

eg-

  pull_request:
    paths:
      - '.github/workflows/csv-coverage-timeseries.yml'

(and similar for all other workflow files)

.github/workflows/csv-coverage-update.yml Outdated Show resolved Hide resolved
.github/workflows/ql-for-ql-tests.yml Outdated Show resolved Hide resolved
.github/workflows/query-list.yml Outdated Show resolved Hide resolved
.github/workflows/ruby-dataset-measure.yml Outdated Show resolved Hide resolved
.github/workflows/ruby-qltest.yml Outdated Show resolved Hide resolved
.github/workflows/swift.yml Outdated Show resolved Hide resolved
.github/workflows/validate-change-notes.yml Outdated Show resolved Hide resolved
@jsoref
Copy link
Contributor Author

jsoref commented Feb 7, 2024

@aeisenberg: the design of these workflows is really painful.

@jsoref jsoref force-pushed the declare-permissions branch from 301cfcc to 0f2888b Compare February 12, 2024 22:30
Comment on lines -22 to +27
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aeisenberg says:

All of it really should be using @main since we want to test on the latest in case we break something.

@jsoref jsoref requested a review from aeisenberg February 12, 2024 22:34
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review. I'm finding it hard to verify that this PR is correct.

.github/workflows/csharp-qltest.yml Outdated Show resolved Hide resolved
.github/workflows/csharp-qltest.yml Outdated Show resolved Hide resolved
aeisenberg
aeisenberg previously approved these changes Feb 13, 2024
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good to me, but since this change affects lots of files, I'd like someone else to approve as well.

Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions in comments. Also, I still see a bunch of security-events: read permissions here: are those necessary? I see that they were able to be dropped from a few workflows because of the changes you'd made in the Action 😄

.github/workflows/csharp-qltest.yml Outdated Show resolved Hide resolved
.github/workflows/fast-forward.yml Show resolved Hide resolved
Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.
@angelapwen
Copy link
Contributor

Thank you for your patience and of course contributions @jsoref!! Merging now 💕

@angelapwen angelapwen merged commit 0643184 into github:main Feb 15, 2024
54 checks passed
@jsoref jsoref deleted the declare-permissions branch February 15, 2024 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
no-change-note-required This PR does not need a change note QL-for-QL
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Workflows are missing permissions requests
3 participants