ci: add minimum GitHub token permissions for workflows #13645
Conversation
Signed-off-by: Ashish Kurmi <[email protected]>
| @@ -15,6 +15,9 @@ on: | |||
| - 'mypy/test/**' | |||
| - 'test-data/**' | |||
|
|
|||
| permissions: | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
Hello @sobolevn, I analyzed all of the workflows included in the project and found that they only need contents:read to function hence I added it on all workflow files.
There was a problem hiding this comment.
We don't need these lines anymore: https://github.com/python/mypy/pull/13645/files#diff-1d3e91c57336ce4ff8a9d5762ddc5ffa66f99f0afb918aab0b02e53db80bf54cR25-R26
There was a problem hiding this comment.
Maybe there are other places where we already have permissions: set?
There was a problem hiding this comment.
@sobolevn yes, mypy_primer_comment.yml already has token permission set hence I did not include it in the PR. This change will increase the security of other workflow files.
|
According to mypy_primer, this change has no effect on the checked open source code. 🤖🎉 |
|
Thanks for reviewing the PR @sobolevn ! I just addressed your comment, please take a look when you get a chance. |
|
Thanks, I think fixed in #15965 |
Description
This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.
The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes.
Here is an example of the permissions in one of the workflow runs:
https://github.com/python/mypy/runs/8253080028?check_suite_focus=true#step:1:19
After this change, the scopes will be reduced to the minimum needed for the following workflows:
The following workflow already has the least privileged token permission set:
Motivation and Context
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
Signed-off-by: Ashish Kurmi [email protected]