Set workflows to run with read-only permissions

[pnacht]

/kind feature

Why you need this feature:

Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks.

I took a look at all the workflows and none of them seem to require significant permissions.

Describe the solution you'd like:

There are two solutions:

• all the workflows can be set with read-only top-level permissions; and/or
• the default workflow token can be set to read-only

I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Anything else you would like to add:

My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

[google-oss-prow]

@juliusvonkohout: Closing this issue.

In response to this:

/close

wrong repository, use kubeflow/pipelines instead

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[juliusvonkohout]

/reopen

since it is about github actions, not kubeflow pipelines

[google-oss-prow]

@juliusvonkohout: Reopened this issue.

In response to this:

/reopen

since it is about github actions, not kubeflow pipelines

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[andreyvelich]

/transfer notebooks

[google-oss-prow]

@pnacht: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

/kind feature

Why you need this feature:

Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks.

I took a look at all the workflows and none of them seem to require significant permissions.

Describe the solution you'd like:

There are two solutions:

• all the workflows can be set with read-only top-level permissions; and/or
• the default workflow token can be set to read-only

I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Anything else you would like to add:

My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity.
It will be closed if no further activity occurs.
Thank you for your contributions.

Members may comment /lifecycle frozen to prevent this issue from being marked as stale.

[juliusvonkohout]

/lifecycle frozen
@thesuperzapper