Open mpkorstanje opened 1 year ago
We can also limit the actions allowed in the organisation in a few different ways
We currently have these non-cucumber non-github provided actions, I can't tell which ones are verified publishers:
mpkorstanje@nyx:~/Projects/cucumber/code-search$ grep -r uses: | grep ".github" | cut -d ":" -f 3 | sort | uniq | grep -v cucumber | grep -v actions
8398a7/action-slack@v3
arduino/setup-protoc@v1
aurelien-baudet/workflow-dispatch@v2
codecov/codecov-action@v1
codecov/codecov-action@v3
coverallsapp/github-action@master
dart-lang/setup-dart@v1.3
docker/bake-action@v2
docker/build-push-action@v3
docker/login-action@v2
docker/setup-buildx-action@v2
docker/setup-qemu-action@v2
erlef/setup-beam@v1
GabrielBB/xvfb-action@v1
golangci/golangci-lint-action@v3.2.0
goreleaser/goreleaser-action@v2
goreleaser/goreleaser-action@v3.1.0
HaaLeo/publish-vscode-extension@v1
marocchino/sticky-pull-request-comment@v2
mymindstorm/setup-emsdk@v11
ocaml/setup-ocaml@v2
pulumi/setup-pulumi@v2
reactivecircus/android-emulator-runner@v2
ruby/setup-ruby@v1
shivammathur/setup-php@v2
snok/install-poetry@v1
softprops/action-gh-release@v1
Projects that use the cucumber/action-create-github-release
that would definitely need elevated permissions.
mpkorstanje@nyx:~/Projects/cucumber/code-search$ grep -rl cucumber/action-create-github-release | cut -d '/' -f 1
cucumber-expressions
blockly
cucumber-parent
action-get-versions
gherkin
message-streams
action-publish-rubygem
action-publish-sbt
action-publish-nuget
action-publish-hex
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
action-create-github-release
gherkin-streams
cucumber-jvm-scala
action-publish-npm
multi_test
html-formatter
compatibility-kit
action-create-release-pr
cucumber-js-pretty-formatter
ci-environment
cucumber-js
react-components
language-server
action-publish-subrepo
screenplay.js
build
cucumber-ruby
language-service
cucumber-ruby-wire
cucumber-json-converter
monaco
cucumber-android
messages
action-publish-mvn
gherkin-utils
action-publish-pypi
microdata
split-java
tag-expressions
query
action-publish-cpan
cucumber-ruby-core
cucumber-rails
release-tests
cucumber-jvm
@sashashura has been submitting a number of PRs to the Cucumber org that reduce the access to the Github token for specific actions. This block-list approach is unfortunately scatter gun and doesn't scale well, it is also insecure by default.
By reducing the scope across the organization we only have to increase it for the
cucumber/action-create-github-release
. All other actions do (as far as I know) require elevated permissions.