ci: least privileged GITHUB_TOKEN permissions

kubernetes / kube-state-metrics

Add-on agent to generate and expose cluster-level metrics.

https://kubernetes.io/docs/concepts/cluster-administration/kube-state-metrics/

Apache License 2.0

5.35k stars 2k forks source link

ci: least privileged GITHUB_TOKEN permissions #2395

Closed ricardoapl closed 3 months ago

ricardoapl commented 4 months ago

What this PR does / why we need it:

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN, otherwise attackers may use a compromised token with write access to, for example, push malicious code into the project.

Found in CLOMonitor Checks and OpenSSF Scorecard Report.

How does this change affect the cardinality of KSM:

Does not change cardinality

Which issue(s) this PR fixes:

Part of #2274

k8s-ci-robot commented 4 months ago

This issue is currently awaiting triage.

If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

mrueg commented 4 months ago

If https://github.com/kubernetes/kube-state-metrics/pull/2398 is getting merged, will this workflow work with only read permissions?

ricardoapl commented 4 months ago

If #2398 is getting merged, will this workflow work with only read permissions?

That's a good point, the workflow will not work with read only permissions then.

I suggest we keep default top-level permissions to read-only, but add contents: write permissions at job-level to #2398.

Although perhaps unlikely, there's a chance that a new job is added to this workflow, and its permissions could be left undefined because of human error.

What do you think?

mrueg commented 3 months ago

Sounds good to me, let's mark this read-only for now.

/lgtm

k8s-ci-robot commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrueg, ricardoapl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes/kube-state-metrics/blob/main/OWNERS)~~ [mrueg] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment