search

pybind / pybind11

Seamless operability between C++11 and Python
https://pybind11.readthedocs.io/
Other
15.7k stars 2.1k forks source link

[BUG]: Set minimal permissions to github workflows #4567

Closed joycebrum closed 1 year ago

joycebrum commented 1 year ago

Required prerequisites

What version (or hash if on master) of pybind11 are you using?

None

Problem description

Github grants, by default, write-all permission to all workflows, which allows an attacker to exploit this permissions in case of a compromised workflow. Thus, it is both a recommendation from the OpenSSF Scorecard and the Github itself to always use credentials that are minimally scoped.

This means setting the top level permission as contents: read (usually enough to most actions) or even read-all, and grant any write permission at the job level

Let me know if you are interested in this change and I'll submit the PR as soon as possible.

Context: I'm Joyce, working on behalf of Google and the OpenSSF to increase supply chain security in many open source projects.

Reproducible example code

You can see the permissions granted to a workflow run in the run log such as https://github.com/pybind/pybind11/actions/runs/4378748766/jobs/7663879679 in the `Set up job` -> `GITHUB_TOKEN Permissions`

Is this a regression? Put the last known working version here if it is.

Not a regression

rwgk commented 1 year ago

Let me know if you are interested in this change and I'll submit the PR as soon as possible.

Hi Joyce, we're open to experiments. I don't know much about this myself, but @henryiii told me that we're not using write permissions except in one labeler job. Could you please send us a PR or instructions for how to grant only the write permissions we actually need?

henryiii commented 1 year ago

I think we can set the default to read only in settings, then enable just the one thing we need in the GHA YAML.

joycebrum commented 1 year ago

Will do that!

Sorry for the late github did not notify me by email ;-; (don't know why)