harden security of github actions

LumiSpy / lumispy

Luminescence data analysis with HyperSpy.

https://lumispy.org

GNU General Public License v3.0

26 stars 18 forks source link

harden security of github actions #76

Closed jlaehne closed 2 years ago

jlaehne commented 3 years ago

See https://github.com/hyperspy/hyperspy/issues/2727

We should:

[x] limit write access for workflows by setting default to read for the lumispy organization (https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/)
[ ] consider to pin actions that use secrets

jlaehne commented 2 years ago

Restricted permissions for Actions:

allow only selected non-lumispy-workflows
workflows have only read permissions
actions cannot create or approve PRs

jordiferrero commented 2 years ago

The only actions that use secrets in lumispy are in the release.yml actions:

GITHUB_TOKEN to create a new release
TWINE_USERNAME & TWINE_PASSWORD for submitting the new version to PyPI.

@jlaehne what do you want to do with this? I've been reading a bit more on pinning actions, but not sure how to proceed.

jlaehne commented 2 years ago

I am not fully sure either, but think that for these actions it should be OK as it is. In that case we could close this issue.

@ericpre I think we never implemented pinning for HyperSpy either?

ericpre commented 2 years ago

From checking the current workflows, the ones with permissions: contents: write are not using third party actions, which means that this is fine as it is.