From 65f9c3012bed807253f1c91aa9ee79234cdd517a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 11:39:47 -0400 Subject: [PATCH 1/3] Disable GH permissions monitoring everywhere This functionality (https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor) is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. This functionality should be re-enabled when practical. See cisagov/skeleton-generic#207 for more details. --- .github/workflows/build.yml | 20 ++++++++++++++------ .github/workflows/codeql-analysis.yml | 20 ++++++++++++++------ .github/workflows/dependency-review.yml | 20 ++++++++++++++------ .github/workflows/sync-labels.yml | 20 ++++++++++++++------ 4 files changed, 56 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eeebb23..130ec8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -73,9 +77,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d1590e9..382999a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,9 +39,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -86,9 +90,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9901352..52a3ee9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -30,9 +30,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -62,9 +66,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 07c0acf..04503e2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -26,9 +26,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -59,9 +63,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 2cfc534f2a4cb11d5bd310f6cfe5832565399885 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 12:57:31 -0400 Subject: [PATCH 2/3] Fix typo that was copied and pasted all over the show Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 130ec8c..7fe4f16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -81,7 +81,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 382999a..dd59d04 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,7 +43,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -94,7 +94,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 52a3ee9..f98c687 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -70,7 +70,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 04503e2..fa6f772 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -30,7 +30,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -67,7 +67,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring From e0bf15782d8220a1886693bef704489df1df17cb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 9 Apr 2025 09:48:38 -0400 Subject: [PATCH 3/3] Fix typo --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f98c687..ee87e04 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -34,7 +34,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true"