Skip to content

Commit 79c4591

Browse files
mrpollomrpollo
committed
ci: add job-level permissions for least-privilege security
Add explicit permissions blocks to every job in ci-orchestrator.yml, build_all_targets.yml, and ekf_update_change_indicator.yml. Each job now declares only the minimum GITHUB_TOKEN scopes it needs, satisfying github-advanced-security CodeQL findings. Remove unused issues:write from ci-orchestrator top-level permissions. Signed-off-by: Ramon Roche <mrpollo@gmail.com>
1 parent adebb2c commit 79c4591

File tree

3 files changed

+48
-1
lines changed

3 files changed

+48
-1
lines changed

.github/workflows/build_all_targets.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,9 @@ jobs:
4242
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
4343
# runs-on: ubuntu-latest
4444
runs-on: [runs-on,runner=1cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
45+
permissions:
46+
contents: read
47+
actions: read
4548
outputs:
4649
matrix: ${{ steps.set-matrix.outputs.matrix }}
4750
timestamp: ${{ steps.set-timestamp.outputs.timestamp }}
@@ -99,6 +102,9 @@ jobs:
99102
# runs-on: ubuntu-latest
100103
runs-on: [runs-on,"runner=8cpu-linux-${{ matrix.runner }}","image=ubuntu24-full-${{ matrix.runner }}","run-id=${{ github.run_id }}",spot=false]
101104
needs: group_targets
105+
permissions:
106+
contents: read
107+
packages: read
102108
strategy:
103109
matrix: ${{ fromJson(needs.group_targets.outputs.matrix) }}
104110
fail-fast: false
@@ -179,6 +185,8 @@ jobs:
179185
runs-on: [runs-on,runner=1cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
180186
needs: [setup, group_targets]
181187
if: startsWith(github.ref, 'refs/tags/v') || contains(fromJSON('["main","stable","beta"]'), needs.group_targets.outputs.branchname)
188+
permissions:
189+
contents: write
182190
outputs:
183191
uploadlocation: ${{ steps.upload-location.outputs.uploadlocation }}
184192
steps:

.github/workflows/ci-orchestrator.yml

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@ permissions:
2323
contents: read
2424
packages: read
2525
pull-requests: write
26-
issues: write
2726

2827
env:
2928
MIN_FLASH_POS_DIFF_FOR_COMMENT: 50
@@ -39,6 +38,9 @@ jobs:
3938
gate-checks:
4039
name: Gate Checks [${{ matrix.check }}]
4140
runs-on: ubuntu-latest
41+
permissions:
42+
contents: read
43+
packages: read
4244
container:
4345
image: ghcr.io/px4/px4-dev:v1.16.0
4446
strategy:
@@ -62,6 +64,9 @@ jobs:
6264
shellcheck:
6365
name: Shellcheck
6466
runs-on: ubuntu-latest
67+
permissions:
68+
contents: read
69+
packages: read
6570
container:
6671
image: ghcr.io/px4/px4-dev:v1.16.0
6772
steps:
@@ -108,6 +113,8 @@ jobs:
108113
mavsdk-python-checks:
109114
name: MAVSDK Python [${{ matrix.check }}]
110115
runs-on: ubuntu-latest
116+
permissions:
117+
contents: read
111118
strategy:
112119
fail-fast: true
113120
matrix:
@@ -143,6 +150,8 @@ jobs:
143150
name: Build px4_sitl_default (for cache)
144151
needs: [gate-checks, shellcheck, mavsdk-python-checks]
145152
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
153+
permissions:
154+
contents: read
146155
container:
147156
image: px4io/px4-dev:v1.16.0
148157
steps:
@@ -194,6 +203,8 @@ jobs:
194203
name: Basic Tests [${{ matrix.check }}]
195204
needs: [gate-checks, shellcheck, mavsdk-python-checks, build-sitl]
196205
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
206+
permissions:
207+
contents: read
197208
container:
198209
image: px4io/px4-dev:v1.16.0
199210
strategy:
@@ -300,6 +311,8 @@ jobs:
300311
needs: [gate-checks, shellcheck, mavsdk-python-checks]
301312
if: github.event_name == 'pull_request'
302313
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
314+
permissions:
315+
contents: read
303316
container:
304317
image: px4io/px4-dev:v1.16.0
305318
steps:
@@ -353,6 +366,8 @@ jobs:
353366
needs: [basic-tests, ekf-functional-check]
354367
if: always() && needs.basic-tests.result == 'success' && (needs.ekf-functional-check.result == 'success' || needs.ekf-functional-check.result == 'skipped')
355368
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
369+
permissions:
370+
contents: read
356371
strategy:
357372
fail-fast: false
358373
matrix:
@@ -413,6 +428,8 @@ jobs:
413428
needs: [basic-tests, ekf-functional-check]
414429
if: always() && needs.basic-tests.result == 'success' && (needs.ekf-functional-check.result == 'success' || needs.ekf-functional-check.result == 'skipped')
415430
runs-on: macos-latest
431+
permissions:
432+
contents: read
416433
steps:
417434
- name: Install Python 3.10
418435
uses: actions/setup-python@v5
@@ -491,6 +508,8 @@ jobs:
491508
needs: [basic-tests, ekf-functional-check]
492509
if: always() && needs.basic-tests.result == 'success' && (needs.ekf-functional-check.result == 'success' || needs.ekf-functional-check.result == 'skipped')
493510
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
511+
permissions:
512+
contents: read
494513
strategy:
495514
fail-fast: false
496515
matrix:
@@ -545,6 +564,8 @@ jobs:
545564
needs: [basic-tests, ekf-functional-check]
546565
if: always() && needs.basic-tests.result == 'success' && (needs.ekf-functional-check.result == 'success' || needs.ekf-functional-check.result == 'skipped')
547566
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
567+
permissions:
568+
contents: read
548569
strategy:
549570
fail-fast: false
550571
matrix:
@@ -619,6 +640,8 @@ jobs:
619640
name: Publish Flash Analysis Results
620641
runs-on: [runs-on,runner=1cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}"]
621642
needs: [flash-analysis]
643+
permissions:
644+
pull-requests: write
622645
env:
623646
V5X-SUMMARY-MAP-ABS: ${{ fromJSON(fromJSON(needs.flash-analysis.outputs.px4_fmu-v5x-bloaty-summary-map).vm-absolute) }}
624647
V5X-SUMMARY-MAP-PERC: ${{ fromJSON(fromJSON(needs.flash-analysis.outputs.px4_fmu-v5x-bloaty-summary-map).vm-percentage) }}
@@ -678,6 +701,8 @@ jobs:
678701
needs: [basic-tests, ekf-functional-check]
679702
if: always() && needs.basic-tests.result == 'success' && (needs.ekf-functional-check.result == 'success' || needs.ekf-functional-check.result == 'skipped')
680703
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
704+
permissions:
705+
contents: read
681706
container:
682707
image: px4io/px4-dev:v1.16.0
683708
steps:
@@ -720,6 +745,8 @@ jobs:
720745
needs: [ubuntu-builds, macos-build, itcm-check, flash-analysis, failsafe-sim]
721746
if: always() && needs.ubuntu-builds.result == 'success' && needs.macos-build.result == 'success' && needs.itcm-check.result == 'success' && needs.flash-analysis.result == 'success'
722747
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu22-full-x64,"run-id=${{ github.run_id }}",spot=false]
748+
permissions:
749+
contents: read
723750
container:
724751
image: px4io/px4-dev-simulation-focal:2021-09-08
725752
options: --privileged --ulimit core=-1 --security-opt seccomp=unconfined
@@ -829,6 +856,8 @@ jobs:
829856
needs: [ubuntu-builds, macos-build, itcm-check, flash-analysis, failsafe-sim]
830857
if: always() && needs.ubuntu-builds.result == 'success' && needs.macos-build.result == 'success' && needs.itcm-check.result == 'success' && needs.flash-analysis.result == 'success'
831858
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu22-full-x64,"run-id=${{ github.run_id }}",spot=false]
859+
permissions:
860+
contents: read
832861
container:
833862
image: px4io/px4-dev-ros2-galactic:2021-09-08
834863
options: --privileged --ulimit core=-1 --security-opt seccomp=unconfined
@@ -960,6 +989,8 @@ jobs:
960989
needs: [ubuntu-builds, macos-build, itcm-check, flash-analysis, failsafe-sim]
961990
if: always() && needs.ubuntu-builds.result == 'success' && needs.macos-build.result == 'success' && needs.itcm-check.result == 'success' && needs.flash-analysis.result == 'success'
962991
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu22-full-x64,"run-id=${{ github.run_id }}",spot=false]
992+
permissions:
993+
contents: read
963994
strategy:
964995
fail-fast: false
965996
matrix:
@@ -996,6 +1027,8 @@ jobs:
9961027
needs: [ubuntu-builds, macos-build, itcm-check, flash-analysis, failsafe-sim]
9971028
if: always() && needs.ubuntu-builds.result == 'success' && needs.macos-build.result == 'success' && needs.itcm-check.result == 'success' && needs.flash-analysis.result == 'success'
9981029
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false]
1030+
permissions:
1031+
contents: read
9991032
strategy:
10001033
fail-fast: false
10011034
matrix:
@@ -1058,6 +1091,7 @@ jobs:
10581091
needs: [gate-checks, shellcheck, mavsdk-python-checks, build-sitl, basic-tests, ekf-functional-check, ubuntu-builds, macos-build, itcm-check, flash-analysis, failsafe-sim, sitl-tests, ros-integration-tests, mavros-tests, ros-translation-node]
10591092
if: always()
10601093
runs-on: ubuntu-latest
1094+
permissions: {}
10611095
steps:
10621096
- name: Generate CI Summary
10631097
if: always()

.github/workflows/ekf_update_change_indicator.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,14 @@ on:
55
paths-ignore:
66
- 'docs/**'
77

8+
permissions:
9+
contents: write
10+
811
jobs:
912
unit_tests:
1013
runs-on: ubuntu-latest
14+
permissions:
15+
contents: write
1116
env:
1217
GIT_COMMITTER_EMAIL: bot@px4.io
1318
GIT_COMMITTER_NAME: PX4BuildBot

0 commit comments

Comments
 (0)