jenkins-infra / github-reusable-workflows

Repository for reusable workflows
MIT License
1 stars 6 forks source link

CD broken in repo using restricted default permissions for `GITHUB_TOKEN` #23

Closed jglick closed 1 year ago

jglick commented 1 year ago

https://github.com/jenkinsci/secure-requester-whitelist-plugin/actions/runs/4294658824 for example. https://github.com/jenkinsci/secure-requester-whitelist-plugin/settings/actions shows Workflow permissions set to Read repository contents and packages permissions, not Read and write permissions as in other CD-enabled repos. I think we now need to set permissions as per https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token. I am confused since https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/ says

New repositories will inherit permissions from parent organization.

so was this changed in @jenkinsci recently? CC @lemeurherve @timja

timja commented 1 year ago

this is what's setup at the org level: https://github.com/organizations/jenkinsci/settings/actions

image

lemeurherve commented 1 year ago

I haven't seen anything related to this kind of change either.

FTR, here is the current settings on @jenkins-infra org:

image
jglick commented 1 year ago

:shrug: I am checking whether this is something I can correct in the repo’s .github/workflows/cd.yaml

lemeurherve commented 1 year ago

I've created a new repo for check on @jenkins-infra, FWIW the setting is correctly inherited: https://github.com/jenkins-infra/test-repo-check-action-workflow-default-permission/settings/actions

image
jglick commented 1 year ago

Well this was not a new repo, it was an old repo with Actions newly enabled.

lemeurherve commented 1 year ago

About the ci.jenkins.io GitHub app, the only recent change I can think of was me adding a @jenkins-infra repository to the 101 @jenkins-infra ones it has access to, cf https://github.com/jenkins-infra/helpdesk/issues/3409#issuecomment-1446929239

image

As far as I know, it has access to all @jenkinsci repositories:

image
timja commented 1 year ago

o interesting you can close cross-org now

daniel-beck commented 1 year ago

Re jenkinsci/secure-requester-whitelist-plugin, I'm pretty sure this was me when I played with the corresponding metadata in Jenkins Security Scan.

jglick commented 1 year ago

Ah! Well, it is still a good practice to explicitly declare the expected permissions—means this workflow should run regardless of how a particularly repository is set up.