search

gregsdennis / dependencies-action

A GitHub Action that enforces PR dependencies
MIT License
33 stars 10 forks source link

GITHUB_TOKEN permissions used by this action #13

Open step-security-bot opened 2 years ago

step-security-bot commented 2 years ago

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'PR Dependency Check'
github-token:
  environment-variable-name: GITHUB_TOKEN
  permissions:
    pull-requests: read
    pull-requests-reason: to check PRs for dependencies
    issues: read
    issues-reason: to check issues for dependencies 
#Reference: https://github.com/gregsdennis/dependencies-action/blob/047fc2563e29739c28c31d007d3f8862d02dca57/index.js#L91

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

felladrin commented 1 year ago

@gregsdennis, please take it into account. This is some useful info to have on Readme.

In my case, here's how the workflow file ended up:

name: PR Dependency Check

on: [pull_request]

jobs:
  pr-dependency-check:
    runs-on: ubuntu-latest
    name: Check PR Dependency
    permissions:
      pull-requests: read # Reason: To check PRs for dependencies.
      issues: read # Reason: To check issues for dependencies.
    steps:
    - uses: gregsdennis/dependencies-action@main
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
gregsdennis commented 1 year ago

@felladrin I'm happy to make changes, but I'm not sure what this is asking me to do. The post seems more informational than a call to action.

felladrin commented 1 year ago

It's related to the RequestError [HttpError]: Resource not accessible by integration, which can happen if those permissions are not set.

image

For example, this error can occur if a person creating a PR does not have full permissions to the repository (e.g. they're just a collaborator and not an owner). So when we add the permissions directly into the workflow file, it adds the permission on-the-fly to the GitHub Token.

gregsdennis commented 1 year ago

@felladrin that's good info, but what do I need to do for this? It looks like it's something that's in the user's action.yml, not anything here. This is where I'm confused.

felladrin commented 1 year ago

That's true, it's up to the user. My suggestion was to point the users to this info somewhere in the Readme, because I assume more users will open issues related to this later on.

I think something like this in the Readme would help:

Note that this action requires permissions to read both Pull Requests and Issues from the repository. If you get an error like 'Resource not accessible by integration', please refer to this documentation or this example.