search

github / docs

The open-source repo for docs.github.com
https://docs.github.com
Creative Commons Attribution 4.0 International
16.12k stars 59.3k forks source link

Improve warning for handing out `write` level rights with regards to repo secrets #11167

Closed HonkingGoose closed 2 years ago

HonkingGoose commented 2 years ago

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

What part(s) of the article would you like to see updated?

There's a big warning in the linked page:

  • Use credentials that are minimally scoped:
    • Make sure the credentials being used within workflows have the least privileges required, and be mindful that any user with write access to your repository has read access to all secrets configured in your repository.

It's really easy to read/skim past this the way the document is structured now.

I propose we add a new heading: Strongly consider who you give write rights to and put the warning "Be mindful that any user with write access to your repository has read access to all secrets configured in your repository." in that section.

I suggest styling the warning message itself as a warning box with a red background, or something similar to really capture the attention of the reader.

Additional information

No response

Edited by maintainer. Here is the content design plan by a writer for this issue.

Dez6ztt commented 2 years ago

Всё нормально

rarkins commented 2 years ago

I agree that this warning should definitely be called out on its own. I went looking for it today and actually missed it even still due to it being under the "Use credentials which are minimally scoped" heading.

ramyaparimi commented 2 years ago

@HonkingGoose Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:

skedwards88 commented 2 years ago

Thank you for opening this issue! Your proposed plan sounds good. I modified it slightly below since we try to avoid sections that contain only a warning.

  1. Create a new section called something like "Limiting write access to your repository" at the same level (H2) as "Using secrets". In this section, mention that any user with write access to your repository has read access to all secrets configured in your repository.

  2. Under the "Using secrets" section, add a warning that state that any user with write access to your repository has read access to all secrets configured in your repository. ({% warning %}{% endwarning %}` will add the red warning box styling.)

    I think that with the addition of the warning in step 2, we could probably skip the new section in step 1. However, it is also ok if you want to do both steps since this is an important point long document.

You or anyone else is welcome to open a PR to address this.

HonkingGoose commented 2 years ago

Thank you for the review and modified plan. I'll let somebody else make a PR to resolve this issue.

ghost commented 2 years ago

Bug

mounilKshah commented 2 years ago

I would like to contribute to this issue. If no one else is working on it, could you please assign it to me?

ramyaparimi commented 2 years ago

@mounilKshah As a general rule, we don’t assign issues to anyone. If you find an issue to work on, you are welcome to open a PR with a fix ✨

mounilKshah commented 2 years ago

Oh alright. I'll begin working on a solution for this issue right away. Also, is there a separate developer channel or are all discussions done under the 'Discussions' section of the repository?

ramyaparimi commented 2 years ago

@mounilKshah all discussions done under the 'Discussions' section of the repository ✨