ci: Add GitHub token permissions for workflows

[varunsh-coder]

Proposed change

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
• https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards treats not setting token permissions as a high-risk issue

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• The code has been formatted using Black (black --fast homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

The integration reached or maintains the following Integration Quality Scale:

• No score or internal
• 🥈 Silver
• 🥇 Gold
• 🏆 Platinum

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[homeassistant]

Hi @varunsh-coder,

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[ludeeus]

We should set read on repository settings instead

[varunsh-coder]

Hi @ludeeus, I think it would be good to set read on repo settings in addition to this change. This way, since the permissions are set explicitly in the workflow, even if one forks this repo, the workflow will still be secure in the forked repo. Please let me know your thoughts.

[frenck]

I think that if that is required to secure forks, GitHub has an issue that we should take up with them. Basically, you are saying that the repository settings don't work?

[varunsh-coder]

I think that if that is required to secure forks, GitHub has an issue that we should take up with them. Basically, you are saying that the repository settings don't work?

Setting the token permission using repository setting will work for this repository. But if the repository is forked or if someone copies the same workflow and uses it in a different repository, the repository settings will not go along. This is why it is a best practice to keep the permissions along with the workflow file.

[frenck]

So, you are saying the repository permissions settings are not working / causing a security issue?

Since you guys are on a mission fixing / improving security for open source project, I assume you have reported/contacted GitHub about this as well? I am interested in their response actually?

[varunsh-coder]

So, you are saying the repository permissions settings are not working / causing a security issue?

Since you guys are on a mission fixing / improving security for open source project, I assume you have reported/contacted GitHub about this as well? I am interested in their response actually?

Hi @frenck I have not reported/ contacted GitHub about this, since they offer multiple solutions (repo setting + workflow file setting) and developers can choose to use both of them to cover all scenarios. I did work with GitHub to set token permissions in starter workflows. For starter workflow, permissions are required to be set in the workflow file. This is the issue for it: actions/starter-workflows#1299

For your repo, if you prefer to just use repo settings for cases where only contents: read is needed, I can remove the explicit workflow level permissions. The only downside is that forks of this repo will not automatically be secure, but the maintainers of those forks can implement the fix on their own. Please let me know. Thanks!

[varunsh-coder]

Hi @frenck, please let me know about this. Thanks!

[ludeeus]

These would not do anything

[varunsh-coder]

To clarify, do you mean these would not do anything because these are read permissions and this is a public repo, so the token will anyways have read access? I think that makes sense.

These changes are automated using https://github.com/step-security/secure-workflows, and that program just takes a workflow as input and fixes it. It does not have context on whether the workflow is in public repo or private repo. For a private repo, these permissions would need to be set explicitly. If you prefer that I remove these from the PR, I can do that. Please let me know.

[frenck]

These changes are automated using step-security/secure-workflows, and that program just takes a workflow as input and fixes it. It does not have context on whether the workflow is in public repo or private repo.

That is why automated tools for things like these are not really helpful and generate tons of noise.

Yes, please address the review comment.

[varunsh-coder]

Fixed

[ludeeus]

We should set read on repository settings instead

[ludeeus]

These would not do anything

[varunsh-coder]

Fixed

[ludeeus]

We should set read on repository settings instead

[ludeeus]

We should set read on repository settings instead

[ludeeus]

We should set read on repository settings instead

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days.
Thank you for your contributions.