From c67c2b298440aa76cd58d04bc338cd55a1cc762d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Fri, 22 Nov 2024 15:10:15 +0100 Subject: [PATCH] Configure fine-grained GitHub Action permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change configures GitHub Actions to only allow reading the repository contents within the top-level workflow-wide permissions section. Extended permissions are then granted to individual jobs to make permissions “secure by default” even when additional jobs are added to an existing workflow. As a follow-up to this PR, the “Workflow Permissions” in the repository settings should be reconfigured to “Read repository contents and packages permissions” instead of “Read and write permissions” to also make additional workflows secure by default, even when a permissions section is not explicitly configured. --- .github/workflows/continuous-integration.yml | 3 +++ .github/workflows/docs.yml | 9 ++++++--- .github/workflows/release-unsigned-phar.yml | 4 +++- .github/workflows/release.yml | 6 ++++++ 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 7bebd100..d8e1a5c1 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -4,6 +4,9 @@ on: pull_request: push: +permissions: + contents: read + jobs: unit-tests: runs-on: ${{ matrix.operating-system }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index b0c33be3..b095dc62 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,11 +8,8 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read - pages: write - id-token: write # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -52,6 +49,12 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest needs: build + permissions: + contents: read + # pages:write is required to deploy to GitHub pages. + pages: write + # id-token:write is required to deploy to GitHub pages. + id-token: write steps: - name: Deploy to GitHub Pages id: deployment diff --git a/.github/workflows/release-unsigned-phar.yml b/.github/workflows/release-unsigned-phar.yml index 88cf074b..959d52b5 100644 --- a/.github/workflows/release-unsigned-phar.yml +++ b/.github/workflows/release-unsigned-phar.yml @@ -3,8 +3,10 @@ name: "Release unsigned PHAR" on: workflow_call: -jobs: +permissions: + contents: read +jobs: build-phar: runs-on: ${{ matrix.operating-system }} strategy: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3216b25d..9022cc26 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: types: - published +permissions: + contents: read + jobs: release-phar: runs-on: ${{ matrix.operating-system }} @@ -14,6 +17,9 @@ jobs: - ubuntu-latest php-versions: - '8.1' + permissions: + # contents:write is required to upload the binaries to the release. + contents: write steps: - name: Setup PHP uses: shivammathur/setup-php@v2