diff options
| author | bors <bors@rust-lang.org> | 2022-10-04 12:12:51 +0000 |
|---|---|---|
| committer | bors <bors@rust-lang.org> | 2022-10-04 12:12:51 +0000 |
| commit | dc3084a1a375411fb09be303b80a28f0fa6e3986 (patch) | |
| tree | d3f3b157abc3f340dcbc851e14e9959d84fc813d | |
| parent | a4c18465070045fb86c17fcd1ca33f967c6a4b3e (diff) | |
| parent | af330add38957e94275124d6f8b40da70bdea02f (diff) | |
| download | rust-libc-dc3084a1a375411fb09be303b80a28f0fa6e3986.tar.gz | |
Auto merge of #2938 - sashashura:patch-2, r=JohnTitor
GitHub Workflows security hardening
This PR adds explicit [permissions section](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions) to workflows. This is a security best practice because by default workflows run with [extended set of permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) (except from `on: pull_request` [from external forks](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an [injection](https://securitylab.github.com/research/github-actions-untrusted-input/) or compromised third party tool or action) is restricted.
It is recommended to have [most strict permissions on the top level](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and grant write permissions on [job level](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) case by case.
| -rw-r--r-- | .github/workflows/bors.yml | 43 | ||||
| -rw-r--r-- | .github/workflows/main.yml | 3 |
2 files changed, 46 insertions, 0 deletions
diff --git a/.github/workflows/bors.yml b/.github/workflows/bors.yml index c8e6b8e061..fc9a5b6ec3 100644 --- a/.github/workflows/bors.yml +++ b/.github/workflows/bors.yml @@ -6,8 +6,13 @@ on: - auto-libc - try +permissions: {} jobs: docker_linux_tier1: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Docker Linux Tier1 runs-on: ubuntu-22.04 strategy: @@ -28,6 +33,10 @@ jobs: run: LIBC_CI=1 sh ./ci/run-docker.sh ${{ matrix.target }} macos: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: macOS runs-on: macos-12 strategy: @@ -47,6 +56,10 @@ jobs: run: LIBC_CI=1 sh ./ci/run.sh ${{ matrix.target }} windows: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Windows runs-on: windows-2022 env: @@ -83,6 +96,10 @@ jobs: shell: bash style_check: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Style check runs-on: ubuntu-22.04 steps: @@ -96,6 +113,10 @@ jobs: run: sh ci/style.sh docker_linux_tier2: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Docker Linux Tier2 needs: [docker_linux_tier1, style_check] runs-on: ubuntu-22.04 @@ -154,6 +175,10 @@ jobs: # These targets are tier 3 or otherwise need to have CI build std via -Zbuild-std. # Because of this, only the nightly compiler can be used on these targets. docker_linux_build_std: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + if: ${{ false }} # This is currently broken name: Docker Linux Build-Std Targets needs: [docker_linux_tier1, style_check] @@ -177,6 +202,10 @@ jobs: # devkitpro's pacman needs to be connected from Docker. docker_switch: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Docker Switch needs: [docker_linux_tier1, style_check] runs-on: ubuntu-22.04 @@ -191,6 +220,10 @@ jobs: run: LIBC_CI=1 sh ./ci/run-docker.sh switch build_channels_linux: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Build Channels Linux needs: docker_linux_tier2 runs-on: ubuntu-22.04 @@ -221,6 +254,9 @@ jobs: run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh build_channels_macos: + permissions: + contents: read # to fetch code (actions/checkout) + name: Build Channels macOS needs: macos # FIXME: Use macOS 11 for now as CI failed with a linker error on macOS 12 image: @@ -255,6 +291,9 @@ jobs: run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh build_channels_windows: + permissions: + contents: read # to fetch code (actions/checkout) + name: Build Channels Windows runs-on: windows-2022 env: @@ -305,6 +344,10 @@ jobs: run: sh ci/semver.sh macos docs: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Generate documentation runs-on: ubuntu-22.04 needs: docker_linux_tier2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9cb5ffdc11..635d6121e6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,6 +7,9 @@ on: branches: - master +permissions: + contents: read # to fetch code (actions/checkout) + jobs: docker_linux_tier1: name: Docker Linux Tier1 |