Skip to content

Set minimum permissions for workflows #1900

New issue
New issue
Open
Open
Set minimum permissions for workflows#1900
Labels
type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
@gabibguti

Description

@gabibguti
gabibguti
opened on Nov 21, 2023

Thanks for stopping by to let us know something could be better!

PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.

Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on pull_request_target. This is specially important when using 3P actions such as:

google-http-java-client/.github/workflows/ci-java7.yaml

Line 42 in 1acedf7

uses: stCarolas/[email protected]
.

Describe the solution you'd like
Set restricted permissions to run GitHub workflows or declare minimum permissions in the workflows.
e.g. permissions: contents: read for workflows that only need to do actions/checkout.

Describe alternatives you've considered
None.

Additional context
My name is Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions