titanism
commented
1 year ago This isn't useful for our CI; we don't publish anything, it just runs tests
Closed sashashura closed 1 year ago
titanism
commented
1 year ago This isn't useful for our CI; we don't publish anything, it just runs tests
sashashura
commented
1 year ago The issue is that you running the workflow with unrestricted permissions. A short time window is enough for a compromised dependency to compromise the repository. All these write permissions are not needed to run a CI.
titanism
commented
1 year ago How would it compromise the repository? Can you give a real example? Would it auto accept and merge an existing pull request?
sashashura
commented
1 year ago yarn install? npm build? Please note this is not about pull requests. They run with read-only permissions. However, the workflow starts on every push to the repository. Let's say a third party tool or dependency that the workflow installs and runs is compromised at a given moment. After a day or few hours NPM detects the malicious activity at takes it down. However the dependency may have run already on a legit push. The issue here is that the dependency has access to the privileged github token and can modify the commits, artifacts, etc.
titanism
commented
1 year ago This makes sense via process.env.GITHUB_TOKEN.
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from
on: pull_requestfrom external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.