Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Update GitHub Actions workflows to follow principle of least privilege #87254

Merged
merged 1 commit into from
Mar 19, 2025
Merged

ci: Update GitHub Actions workflows to follow principle of least privilege #87254

merged 1 commit into from
Mar 19, 2025

Conversation

kartben
Copy link
Collaborator

@kartben kartben commented Mar 18, 2025
edited
Loading

Default to only giving contents: read permission in all workflows and then add additional permissions as needed at the job level.

This shall get us a 10/10 for the Token-Permissions category in the OpenSSF score card :)

Note for reviewers, actions/upload-artifact actions/download-artifact are apparently "special" and don't require extra permissions.

@kartben kartben force-pushed the workflows_permissions branch 4 times, most recently from e813675 to 8b00760 Compare March 18, 2025 09:55
@kartben kartben marked this pull request as ready for review March 18, 2025 10:08
@zephyrbot zephyrbot added platform: nRF BSIM Nordic Semiconductors, nRF BabbleSim area: Continuous Integration labels Mar 18, 2025
aescolar
aescolar reviewed Mar 18, 2025
View reviewed changes
Copy link
Member

@aescolar aescolar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kartben
+1
No complaints from me

@kartben kartben force-pushed the workflows_permissions branch from 8b00760 to 71e8060 Compare March 18, 2025 11:24
@kartben kartben force-pushed the workflows_permissions branch from 71e8060 to e1df96c Compare March 18, 2025 11:27
nashif
nashif previously approved these changes Mar 18, 2025
View reviewed changes
fabiobaltieri
fabiobaltieri requested changes Mar 18, 2025
View reviewed changes
Copy link
Member

@fabiobaltieri fabiobaltieri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's a couple of unintended changes here

@kartben kartben force-pushed the workflows_permissions branch from e1df96c to e973242 Compare March 18, 2025 11:42
@kartben
Copy link
Collaborator Author

kartben commented Mar 18, 2025

I think there's a couple of unintended changes here

Sigh -- thanks! Should be better now

nashif
nashif previously approved these changes Mar 18, 2025
View reviewed changes
fabiobaltieri
fabiobaltieri previously approved these changes Mar 18, 2025
View reviewed changes
nashif
nashif reviewed Mar 18, 2025
View reviewed changes
.github/workflows/twister.yaml
@@ -15,6 +15,9 @@ on:
# Run at 17:00 UTC on every Saturday
- cron: '0 17 * * 6'

permissions:
contents: read

Copy link
Member

@nashif nashif Mar 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this action have checks: write permissions in 'Publish Unit Test Results' section below?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes! thanks for paying attention

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nashif addressed - thanks!

@kartben
ci: Update GitHub Actions workflows to follow principle of least priv…
ed9c558 
…ilege

Default to `permissions: read-all` in all workflows and then add
additional permissions as needed at the job level

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
@kartben kartben dismissed stale reviews from fabiobaltieri and nashif via ed9c558 March 18, 2025 15:27
@kartben kartben force-pushed the workflows_permissions branch from e973242 to ed9c558 Compare March 18, 2025 15:27
@nashif nashif merged commit c9a1493 into zephyrproject-rtos:main Mar 19, 2025
62 checks passed
@kartben kartben deleted the workflows_permissions branch March 20, 2025 13:23
@pdgendt pdgendt mentioned this pull request Mar 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aescolar aescolar aescolar left review comments

@nashif nashif nashif approved these changes

@fabiobaltieri fabiobaltieri fabiobaltieri approved these changes

@stephanosio stephanosio Awaiting requested review from stephanosio

Assignees

@nashif nashif

@stephanosio stephanosio

Labels
area: Bluetooth Audio area: Bluetooth area: Continuous Integration area: Samples Samples platform: nRF BSIM Nordic Semiconductors, nRF BabbleSim
Projects
Bluetooth LE Audio
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kartben @nashif @fabiobaltieri @aescolar @stephanosio @zephyrbot