-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lock down GitHub Actions Security #50
Comments
TODO:
|
Here is my currently rough plan for replacing the actions:
BTW, I noticed lots of Rust projects use the |
TODO:
|
TODO:
|
Regarding |
After switching to my forks of each action I used, I also switched the Allowed Actions setting of this repository to "Allow local actions only." |
For the codecov action, we might consider using the GitHub Actions artifacts mechanism (https://docs.github.com/en/actions/guides/storing-workflow-data-as-artifacts) to separate the collecting of the coverage, which requires a git checkout, from the uploading of the coverage results to codecov, which doesn't.
|
Since I forked the entire repository for each action, that means every revision of every action, with every tag and every commit, is in my fork. Instead of "Allow local actions only," having an allowlist of a single specific tag (v1, v2, whatever) for each action would be safer. I'll give that a shot tomorrow. |
Restrict permissions of github token. Pin action versions. Following advice in briansmith/untrusted#50.
Restrict permissions of github token. Pin action versions. Following advice in briansmith/untrusted#50.
Following some of the advice given in briansmith/untrusted#50.
In https://docs.github.com/en/actions/security-guides/automatic-token-authentication it is noted that if we set the repository- or organization- level Actions policy to be "restricted" then we get exactly what we want. But, I couldn't find a way to publicly expose the fact that the Actions policy is "restricted," nor could I find a way to declare in the workflow YAML that I want the workflow to use "restricted" defaults. In https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token several permissions besides "contents" are mentioned, but in our YAML we only lock don't the Should we have a job that simply checks the workflow configuration? E.g. checks that the repository is in "restricted" default mode and/or enumerates all the permissions and verifies that they are all |
I just merged PR #49 which minimizes the permissions of the GitHub token. I also changed the default permission of the GitHub token from read-write to read-only in the repository settings over the weekend, but I don't think people can see this.
Now we still need to follow the (rest of the) guidance in https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions to lock down our CI/CD.
untrusted
has no dependencies besides actions and the Rust toolchain, so it is less urgent to do work to ensure dependencies are following the recommended GitHub Actions security practices. However, eventually we'll need to extend our CI/CD to ensure that no new dependencies without such hardening are added as dependencies of untrusted.The text was updated successfully, but these errors were encountered: