Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #2444

Merged
merged 5 commits into from
Nov 21, 2022
Merged

GitHub Workflows security hardening #2444

merged 5 commits into from
Nov 21, 2022

Conversation

sashashura
Copy link
Contributor

Pull Request check-list

Please make sure to review and check all of these items:

  • Does $ tox pass with this change (including linting)?
  • Do the CI tests pass with this change (enable it first in your forked repo and wait for the github action build to finish)?
  • Is the new or changed code fully tested?
  • Is a documentation update included (if this change modifies existing APIs, or introduces new ones)?
  • Is there an example added to the examples folder (if applicable)?
  • Was the change added to CHANGES file?

NOTE: these things are not required to open a PR and can be done
afterwards / while the PR is open.

Description of change

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

@sashashura
build: harden pypi-publish.yaml permissions
d97a564 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden stale-issues.yml permissions
ac90dfb 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden release-drafter.yml permissions
40cf016 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@sashashura
build: harden integration.yaml permissions
e84f1d7 
Signed-off-by: Alex <aleksandrosansan@gmail.com>
@chayim chayim added the maintenance Maintenance (CI, Releases, etc) label Nov 6, 2022
chayim
chayim reviewed Nov 6, 2022
View reviewed changes
.github/workflows/release-drafter.yml
jobs:
update_release_draft:
permissions:
pull-requests: write # to add label to PR (release-drafter/release-drafter)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the drafter need this permission? We don't use it to add permissions, rather rely on the permissions set in the PR. WDYT?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the permissions the author documented as needed in the readme https://github.com/release-drafter/release-drafter/blob/6df64e4ba4842c203c604c1f45246c5863410adb/README.md?plain=1#L35-L39
Note, that pull-requests permission can be read-only if autolabeler is not used.

We don't use it to add permissions, rather rely on the permissions set in the PR.

I'm not sure I understand the question. The lines do not add new permissions, the default ones are write to all. The lines remove everything not explicitly mentioned.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I.e. the workflow runs on push, not on pull-request with write to all permissions.

@codecov-commenter
Copy link

codecov-commenter commented Nov 13, 2022
edited
Loading

Codecov Report

Base: 92.22% // Head: 92.21% // Decreases project coverage by -0.01% ⚠️

Coverage data is based on head (af61db2) compared to base (fa45fb1).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2444      +/-   ##
==========================================
- Coverage   92.22%   92.21%   -0.02%     
==========================================
  Files         113      113              
  Lines       29239    29239              
==========================================
- Hits        26965    26962       -3     
- Misses       2274     2277       +3
Impacted Files Coverage Δ
redis/asyncio/connection.py 86.44% <0.00%> (-0.13%) ⬇️
tests/test_cluster.py 96.86% <0.00%> (-0.12%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@dvora-h dvora-h merged commit e3e223b into redis:master Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chayim chayim chayim approved these changes

Assignees
No one assigned
Labels
maintenance Maintenance (CI, Releases, etc)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sashashura @codecov-commenter @chayim @dvora-h