Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce the scope of the GITHUB_TOKEN by default #2139

Open
mpkorstanje opened this issue Dec 2, 2022 · 2 comments
Open

Reduce the scope of the GITHUB_TOKEN by default #2139

mpkorstanje opened this issue Dec 2, 2022 · 2 comments
Assignees
Labels
🏦 debt Tech debt 🥒 core team Candidate for going onto the Cucumber Open Board: https://github.com/orgs/cucumber/projects/8

Comments

@mpkorstanje
Copy link
Contributor

mpkorstanje commented Dec 2, 2022

@sashashura has been submitting a number of PRs to the Cucumber org that reduce the access to the Github token for specific actions. This block-list approach is unfortunately scatter gun and doesn't scale well, it is also insecure by default.

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.
Originally posted by @sashashura in cucumber/cucumber-jvm#2618 (comment)

This doesn't look like the correct solution you are highlighting. Looking at How the permissions are calculated for a workflow job it appears we can limit the scope of the GITHUB_TOKEN for the organization by default and then only increase it for the specific workflow that need it.

The permissions for the GITHUB_TOKEN are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read only.

Originally posted by @mpkorstanje in cucumber/cucumber-jvm#2618 (comment)

By reducing the scope across the organization we only have to increase it for the cucumber/action-create-github-release. All other actions do (as far as I know) require elevated permissions.

@mpkorstanje
Copy link
Contributor Author

mpkorstanje commented Dec 2, 2022

We can also limit the actions allowed in the organisation in a few different ways

  • Only allow actions, cucumber org actions.
  • Only allow actions, cucumber org actions and actions from verified publishers.

We currently have these non-cucumber non-github provided actions, I can't tell which ones are verified publishers:

mpkorstanje@nyx:~/Projects/cucumber/code-search$ grep -r uses: | grep ".github"  | cut -d ":" -f 3 | sort | uniq | grep -v cucumber | grep -v actions
 8398a7/action-slack@v3
 arduino/setup-protoc@v1
 aurelien-baudet/workflow-dispatch@v2
 codecov/codecov-action@v1
 codecov/codecov-action@v3
 coverallsapp/github-action@master
 dart-lang/[email protected]
 docker/bake-action@v2
 docker/build-push-action@v3
 docker/login-action@v2
 docker/setup-buildx-action@v2
 docker/setup-qemu-action@v2
 erlef/setup-beam@v1
 GabrielBB/xvfb-action@v1
 golangci/[email protected]
 goreleaser/goreleaser-action@v2
 goreleaser/[email protected]
 HaaLeo/publish-vscode-extension@v1
 marocchino/sticky-pull-request-comment@v2
 mymindstorm/setup-emsdk@v11
 ocaml/setup-ocaml@v2
 pulumi/setup-pulumi@v2
 reactivecircus/android-emulator-runner@v2
 ruby/setup-ruby@v1
 shivammathur/setup-php@v2
 snok/install-poetry@v1
 softprops/action-gh-release@v1

@mpkorstanje
Copy link
Contributor Author

Projects that use the cucumber/action-create-github-release that would definitely need elevated permissions.

mpkorstanje@nyx:~/Projects/cucumber/code-search$ grep -rl cucumber/action-create-github-release | cut -d '/' -f 1
cucumber-expressions
blockly
cucumber-parent
action-get-versions
gherkin
message-streams
action-publish-rubygem
action-publish-sbt
action-publish-nuget
action-publish-hex
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
gherkin-streams
cucumber-jvm-scala
action-publish-npm
multi_test
html-formatter
compatibility-kit
action-create-release-pr
cucumber-js-pretty-formatter
ci-environment
cucumber-js
react-components
language-server
action-publish-subrepo
screenplay.js
build
cucumber-ruby
language-service
cucumber-ruby-wire
cucumber-json-converter
monaco
cucumber-android
messages
action-publish-mvn
gherkin-utils
action-publish-pypi
microdata
split-java
tag-expressions
query
action-publish-cpan
cucumber-ruby-core
cucumber-rails
release-tests
cucumber-jvm

@mattwynne mattwynne self-assigned this Jan 12, 2023
@mattwynne mattwynne added 🏦 debt Tech debt 🥒 core team Candidate for going onto the Cucumber Open Board: https://github.com/orgs/cucumber/projects/8 labels Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏦 debt Tech debt 🥒 core team Candidate for going onto the Cucumber Open Board: https://github.com/orgs/cucumber/projects/8
Projects
Status: No status
Development

No branches or pull requests

2 participants