Skip to content

make GitHub workflow permissions explicit #1692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

make GitHub workflow permissions explicit #1692

wants to merge 1 commit into from

Conversation

cedricvanrompay-datadog
Copy link

Summary

make GitHub workflow permissions explicit

Changes

Add a top-level permissions field in each GitHub workflow file.

Note that this should not lead to any changes in the permissions workflows currently have because the permissions written mirror the default permissions or are overwritten by job-level permissions

Motivation

It makes workflow permissions easier to read and understand, and it makes some scanner happy like OSSF Scorecard: https://deps.dev/project/github/stretchr%2Ftestify

Related issues

None.

@dolmen
Copy link
Collaborator

dolmen commented Jan 7, 2025

Please add more context in the description of this PR, such as links to GitHub documentation about the permissions settings in the workflow file.

@dolmen dolmen added help wanted internal/testing Changes purely related to the testify testsuites labels Jan 7, 2025
brackendawson
brackendawson reviewed Mar 18, 2025
View reviewed changes
Copy link
Collaborator

@brackendawson brackendawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm all for following the principle of least privilege, why do we need packages: read?

.github/workflows/main.yml
Comment on lines +4 to +7
permissions:
contents: read
packages: read

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does change the permissions of the workflow. According to the docs any permission not set in this dict will now be set to none, which will be different to the default.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this really changes the permissions from the default.

This document says that the default permissions are contents: read, packages: read ... if we are in restricted mode (but I don't know if that is the case).

But I'm not sure we even need both.

@dolmen
Copy link
Collaborator

dolmen commented May 25, 2025

@cedricvanrompay-datadog Please fix this: #1692 (comment)

dolmen
dolmen requested changes May 25, 2025
View reviewed changes
Copy link
Collaborator

@dolmen dolmen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The setup-go action recommends contents: read permission. No mention of packages: read.

The checkout action also recommends contents: read permission. No mention of packages: read.

So I don't see a reason to grant packages: read.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brackendawson brackendawson brackendawson left review comments

@dolmen dolmen dolmen requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
help wanted internal/testing Changes purely related to the testify testsuites
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cedricvanrompay-datadog @dolmen @brackendawson