Fix token permissions for 100 critical open-source projects

[varunsh-coder]

This issue is to track progress on adding GitHub token permissions to workflows for critical open source projects.

OSSF has a working group to identify critical projects and calculate criticality score: https://github.com/ossf/wg-securing-critical-projects

The list of top 100 projects is here: https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=1024997528

[varunsh-coder]

Adding list of PRs:

1-10

• [x] https://github.com/ampproject/amphtml/pull/38019
• [x] https://github.com/ant-design/ant-design/pull/34946
• [x] https://github.com/caolan/async/pull/1829
• [x] https://github.com/babel/babel/pull/14539
• [x] https://github.com/apache/commons-codec/pull/131
• [x] https://github.com/apache/commons-lang/pull/894
• [x] https://github.com/python/cpython/pull/92999
• [x] https://github.com/electron/electron/pull/34298
• [x] https://github.com/gatsbyjs/gatsby/pull/35713
• [x] https://github.com/rails/rails/pull/45150

11-20

• [x] https://github.com/DefinitelyTyped/DefinitelyTyped/pull/61065
• [x] https://github.com/gradle/gradle/pull/21162
• [x] https://github.com/Homebrew/homebrew-core/pull/105003
• [x] https://github.com/Homebrew/homebrew-bundle/pull/1098
• [x] https://github.com/symfony/symfony/pull/46832
• [x] https://github.com/facebook/react-native/pull/34122
• [x] https://github.com/Homebrew/homebrew-cask/pull/127104
• [x] https://github.com/NixOS/nixpkgs/pull/180751
• [x] https://github.com/pandas-dev/pandas/pull/47652
• [x] https://github.com/FasterXML/jackson-core/pull/792

21-30

• [x] https://github.com/nodejs/node/pull/43743
• [x] https://github.com/openssl/openssl/pull/18766
• [x] https://github.com/mrdoob/three.js/pull/24332
• [x] https://github.com/qos-ch/slf4j/pull/293
• [x] https://github.com/webpack/webpack/pull/16033
• [x] https://github.com/qos-ch/logback/pull/579
• [x] https://github.com/nodejs/readable-stream/pull/479
• [x] https://github.com/joomla/joomla-cms/pull/38256
• [x] https://github.com/google/guava/pull/6106
• [x] https://github.com/saltstack/salt/pull/62317

31-40

• [x] https://github.com/puppetlabs/puppet/pull/8924
• [x] https://github.com/PowerShell/PowerShell/pull/17781
• [x] https://github.com/xbmc/xbmc/pull/21782
• [x] https://github.com/tasks/tasks/pull/1975
• [x] https://github.com/tensorflow/models/pull/10749
• [x] https://github.com/zulip/zulip/pull/22786
• [x] https://github.com/elastic/elasticsearch/pull/89490
• [x] https://github.com/eclipse/jetty.project/pull/8499
• [x] https://github.com/import-js/eslint-plugin-import/pull/2547
• [x] https://github.com/rbenv/ruby-build/pull/2041

41 - 50

• [x] https://github.com/spring-projects/spring-framework/pull/29104
• [x] https://github.com/hashicorp/packer/pull/11973
• [x] https://github.com/facebook/hhvm/pull/9177
• [x] https://github.com/mastodon/mastodon/pull/19138
• [x] https://github.com/webpack-contrib/css-loader/pull/1470
• [x] https://github.com/openSUSE/open-build-service/pull/13057
• [x] https://github.com/argoproj/argo-workflows/pull/9552
• [x] https://github.com/humhub/humhub/pull/5857
• [x] https://github.com/KratosMultiphysics/Kratos/pull/10247
• [x] https://github.com/ckan/ckan/pull/7070

51 - 60

• [x] https://github.com/juju/juju/pull/14587
• [x] https://github.com/zaproxy/zaproxy/pull/7452
• [x] https://github.com/mattermost/mattermost-server/pull/20975
• [x] https://github.com/xonsh/xonsh/pull/4936
• [x] https://github.com/readthedocs/readthedocs.org/pull/9617
• [x] https://github.com/mruby/mruby/pull/5798
• [x] https://github.com/pwsafe/pwsafe/pull/885
• [x] https://github.com/sweetalert2/sweetalert2/pull/2512
• [x] https://github.com/aspnetboilerplate/aspnetboilerplate/pull/6559
• [x] https://github.com/node-red/node-red/pull/3907

61 - 70

• [x] https://github.com/sindresorhus/got/pull/2154
• [x] https://github.com/composer/installers/pull/515
• [x] https://github.com/apache/nifi/pull/6469
• [x] https://github.com/factor/factor/pull/2696
• [x] https://github.com/mavlink/mavlink/pull/1898
• [x] https://github.com/tokio-rs/tokio/pull/5072
• [x] https://github.com/stan-dev/math/pull/2819
• [x] https://github.com/NodeBB/NodeBB/pull/10933
• [x] https://github.com/trilinos/Trilinos/pull/11092
• [x] https://github.com/GoogleForCreators/web-stories-wp/pull/12269

71 - 80

• [x] https://github.com/faisalman/ua-parser-js/pull/583
• [x] https://github.com/twbs/bootstrap/pull/36325
• [x] https://github.com/PyCQA/isort/pull/1969
• [x] https://github.com/apache/accumulo/pull/2926
• [x] https://github.com/rubocop/rubocop/pull/10947
• [x] https://github.com/ccache/ccache/pull/1159
• [x] https://github.com/apache/thrift/pull/2664
• [x] https://github.com/halide/Halide/pull/7011
• [x] https://github.com/spf13/cobra/pull/1792
• [x] https://github.com/facebook/rocksdb/pull/10549

81 - 90

• [ ] https://github.com/prometheus/prometheus/pull/11285
• [ ] https://github.com/kubernetes/dashboard/pull/7430
• [ ] https://github.com/javaparser/javaparser/pull/3685
• [ ] https://github.com/libgdx/libgdx/pull/6984
• [ ] https://github.com/psf/requests/pull/6236
• [ ] https://github.com/ceph/ceph/pull/47176
• [ ] https://github.com/home-assistant/core/pull/74331
• [ ] https://github.com/python/mypy/pull/13645
• [ ] https://github.com/python/mypy/pull/13645
• [ ] https://github.com/isaacs/inherits/pull/49

91 - 100

• [ ] https://github.com/swagger-api/swagger-ui/pull/8169
• [ ] https://github.com/knex/knex/pull/5318
• [ ] https://github.com/globalize/globalize/pull/803
• [ ] https://github.com/cockroachdb/cockroach/pull/86536
• [ ] https://github.com/apache/maven/pull/745
• [ ] https://github.com/spree/spree/pull/11757
• [ ] https://github.com/flowable/flowable-engine/pull/3478
• [ ] https://github.com/openemr/openemr/pull/5801
• [ ] https://github.com/rust-lang/rustfmt/pull/5557
• [ ] https://github.com/open-mmlab/mmdetection/pull/8928

101 - 110

• [ ] https://github.com/pallets/flask/pull/4830
• [ ] https://github.com/tensorflow/probability/pull/1630
• [ ] https://github.com/hakimel/reveal.js/pull/3292
• [ ] https://github.com/apache/ignite/pull/10283
• [ ] https://github.com/tox-dev/tox/pull/2510
• [ ] https://github.com/apache/tomcat/pull/554
• [ ] https://github.com/nuxt/nuxt.js/pull/10734
• [ ] https://github.com/marmelab/react-admin/pull/8225
• [ ] https://github.com/codemirror/codemirror5/pull/6989
• [ ] https://github.com/pallets/werkzeug/pull/2527

111- 120

• [ ] https://github.com/nodejs/node-v8/pull/241
• [ ] https://github.com/syncthing/syncthing/pull/8574
• [ ] https://github.com/qt/qtbase/pull/78
• [ ] https://github.com/hashicorp/vagrant/pull/12932
• [ ] https://github.com/bigbluebutton/bigbluebutton/pull/15767
• [ ] https://github.com/hashicorp/terraform/pull/31922
• [ ] https://github.com/kubernetes/website/pull/37133
• [ ] https://github.com/ant-design/ant-design/pull/37845
• [ ] https://github.com/google/cadvisor/pull/3180

Closed PRs

• [ ] https://github.com/laravel/framework/pull/42472
• [ ] https://github.com/Homebrew/homebrew-cask-versions/pull/14240
• [ ] https://github.com/ArduPilot/ardupilot/pull/21505
• [ ] https://github.com/ReactiveX/RxJava/pull/7469

[danielroe]

This is a helpful prompt but I think you should instead be recommending enabling restrictive permissions by default for the entire organisation rather than adding these lines to every repo workflow file. I feel this is more secure and better practice.

See https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization.

With the more restrictive permissions, the token only has access to read contents and metadata.

[davidism]

Stop spamming repositories. Ask before running automated tools. https://twitter.com/di_codes/status/1567559370078052353, https://twitter.com/jacobian/status/1570188260592463872

Also agree with the comment above, push for better defaults, not changes to every single workflow file.

[ashishkurmi]

Thanks @davidism for the feedback. We have been working with maintainers of critical open-source projects since April (the first PR on this issue) to address security issues related to elevated GitHub token permissions. Our fix acceptance rate is quite high as you can see from the list of PRs above and many critical open-source projects have benefited from these fixes. We had not heard of this concern before. Going forward, would it be better if we create an issue first to discuss such security remediations with project maintainers?

[davidism]

What you're doing is not "working with maintainers", it's "spamming maintainers then hoping they go along with it so we can point at the acceptance rate." Yes, you should ask first, in a non-spammy, non-automated way, if maintainers want to participate in your automated PRs. You don't even need to make PRs, just use your team to open issues discussing the concern, as any non-company open source user would.

[davidism]

Your PRs aren't really fixing anything long term, as soon as maintainers create a new workflow they'll have the same permission issue. You should be telling them to enable better defaults, then opt in to more permissions, so they don't need the PRs in the first place.

[ashishkurmi]

This is a good idea. The problem is that if workflows that need write access are not fixed by adding explicit permissions, and this change it made at the repo/org level, those workflows will not work as intended.

We can clarify this as part of future issues/ PRs - to first add explicit permissions to workflows that need write access, and after that turn on the setting at the repo/org level, so future workflows are secure by default.

Otherwise, one might follow the recommendation to only turn this on at the repo/ org level, and it might break some of the workflows

This is a helpful prompt but I think you should instead be recommending enabling restrictive permissions by default for the entire organisation rather than adding these lines to every repo workflow file. I feel this is more secure and better practice.

See https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization.

With the more restrictive permissions, the token only has access to read contents and metadata.