Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: GitHub Workflows security hardening #38880

Merged
merged 7 commits into from
Nov 4, 2022
Merged

*: GitHub Workflows security hardening #38880

merged 7 commits into from
Nov 4, 2022

Conversation

sashashura
Copy link
Contributor

@sashashura sashashura commented Nov 3, 2022
edited
Loading

What problem does this PR solve?

Issue Number: close #38881

Problem Summary:

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

@sashashura
build: harden misc.yml permissions
ed669fb 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden integration-test-br-compatibility.yml permissions
b31b606 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden integration-test-compile-br.yml permissions
c08039a 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden integration-test-dumpling.yml permissions
d2be3c4 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@ti-chi-bot
Copy link
Member

ti-chi-bot commented Nov 3, 2022
edited
Loading

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • hawkingrei
  • xhebox

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added do-not-merge/invalid-title release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 3, 2022
@sre-bot
Copy link
Contributor

sre-bot commented Nov 3, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@sashashura sashashura changed the title GitHub Workflows security hardening *:GitHub Workflows security hardening Nov 3, 2022
@sashashura sashashura changed the title *:GitHub Workflows security hardening *: GitHub Workflows security hardening Nov 3, 2022
xhebox
xhebox approved these changes Nov 4, 2022
View reviewed changes
Copy link
Contributor

@xhebox xhebox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @wuhuizuo

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Nov 4, 2022
@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Nov 4, 2022
@hawkingrei
Copy link
Member

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: 21f3c28

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Nov 4, 2022
@ti-chi-bot ti-chi-bot merged commit 2f03a8d into pingcap:master Nov 4, 2022
@sre-bot
Copy link
Contributor

sre-bot commented Nov 4, 2022

TiDB MergeCI notify

✅ Well Done! New fixed [1] after this pr merged.

CI Name Result Duration Compare with Parent commit
idc-jenkins-ci/integration-cdc-test 🔴 failed 5, success 34, total 39 21 min Existing failure
idc-jenkins-ci-tidb/integration-common-test ✅ all 17 tests passed 14 min Fixed
idc-jenkins-ci-tidb/integration-ddl-test 🟢 all 6 tests passed 31 min Existing passed
idc-jenkins-ci-tidb/common-test 🟢 all 11 tests passed 13 min Existing passed
idc-jenkins-ci-tidb/tics-test 🟢 all 1 tests passed 7 min 20 sec Existing passed
idc-jenkins-ci-tidb/sqllogic-test-1 🟢 all 26 tests passed 5 min 4 sec Existing passed
idc-jenkins-ci-tidb/sqllogic-test-2 🟢 all 28 tests passed 4 min 57 sec Existing passed
idc-jenkins-ci-tidb/mybatis-test 🟢 all 1 tests passed 3 min 1 sec Existing passed
idc-jenkins-ci-tidb/integration-compatibility-test 🟢 all 1 tests passed 2 min 36 sec Existing passed
idc-jenkins-ci-tidb/plugin-test 🟢 build success, plugin test success 4min Existing passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hawkingrei hawkingrei hawkingrei approved these changes

@xhebox xhebox xhebox approved these changes

@wuhuizuo wuhuizuo Awaiting requested review from wuhuizuo

Assignees
No one assigned
Labels
release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Harden workflow permissions
5 participants
@sashashura @ti-chi-bot @sre-bot @hawkingrei @xhebox