starbelly
commented
2 years ago I think this is a non issue for us since we don't require folks do anything with github tokens to use this action?
Closed step-security-bot closed 2 years ago
starbelly
commented
2 years ago I think this is a non issue for us since we don't require folks do anything with github tokens to use this action?
varunsh-coder
commented
2 years ago I think this is a non issue for us since we don't require folks do anything with github tokens to use this action?
Yes, as of now the knowledge base for this Action is that it does not need GITHUB_TOKEN. This issue is just to inform you that if you do start using GITHUB_TOKEN in your Action, please create an issue at https://github.com/step-security/secure-workflows/issues so we can update the knowledge base. Feel free to close this issue.
You can also fix token permissions and other OpenSSF Scorecards issues in this Action and other repos. As an example, this remediation link fixes token permissions for one of the workflows in this repo: https://app.stepsecurity.io/secureworkflow/erlef/setup-beam/action.yml/main?enable=permissions
OpenSSF Scorecards will generate these remediation links for you once you use it.
paulo-ferraz-oliveira
commented
2 years ago We're using the token to checkout and update the 3rd party lib.s, nothing else. I'm closing this as it doesn't seem to be an issue. Feel free to reopen if you feel otherwise.
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.
Below you can see the KB of your GITHUB Action.
If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.
This issue is automatically created by our analysis bot, feel free to close after reading :)
References:
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.