search

NVIDIA / cccl

CUDA Core Compute Libraries
https://nvidia.github.io/cccl/
Other
1.14k stars 135 forks source link

Set minimum permissions to workflows #833

Closed gabibguti closed 10 months ago

gabibguti commented 1 year ago

Set minimum permissions to workflows helps keep the workflows more safe against supply-chain attacks. GitHub gives higher permissions to workflows by default but it's good practice to adjust them to the minimum permissions necessary.

To do that, we check what actions are used in the workflow and what permissions they need. For example, in deploy-documentation-github-pages.yml we have the action peaceiris/actions-gh-pages which needs contents: write permission to push to a repository branch. We should do that to all workflows to make sure we're following least privilege access rule.

If you agree with the changes, I can open a PR!

This setting is recommended by security tools, such as Scorecards and StepSecurity.

Additional Context

I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

jrhemstad commented 1 year ago

Hey @gabibguti. Thanks for the heads up! We're actually in the process of migrating to an entirely new repo with an entirely new actions setup very soon. We'll definitely be sure to address the issue you raised as part of that migration.

gabibguti commented 1 year ago

@jrhemstad Ok, great! If you need any help setting it up for the new repo, let me know!

jrhemstad commented 10 months ago

Closing in favor of https://github.com/NVIDIA/cccl/issues/919