Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Add token permissions to verify.yml workflow #1325

Merged
merged 4 commits into from
Dec 2, 2021
Merged

🌱 Add token permissions to verify.yml workflow #1325

merged 4 commits into from
Dec 2, 2021

Conversation

varunsh-coder
Copy link
Contributor

  • Please check if the PR fulfills these requirements

  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
    Adds minimum token permissions to the verify.yml workflow

  • What is the current behavior? (You can also link to an open issue here)
    verify.yml workflow does not have token permissions set

  • What is the new behavior (if this is a feature change)?
    verify.yml workflow has token permissions. Permissions were added automatically using https://app.stepsecurity.io/secureworkflow

  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
    No

  • Other information:
    Step Security website now adds permissions:read-all at top level as discussed in Token-Permissions check clarification #1128. The automation adds a new line above jobs:. Let me know if there should be no new line or there should also be new line above the permissions: read-all

@laurentsimon
Copy link
Contributor

laurentsimon commented Nov 22, 2021
edited
Loading

@naveensrinivasan this PR seems ok to me because the action does not checkout the code or run it: it only looks at the PR description. Are we going to split this workflow using pull_request and run_workflow
in the future? I don't think we gain anything by doing that though, since a takeover of the action would also allow the malicious PR to return success.

laurentsimon
laurentsimon approved these changes Nov 22, 2021
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@naveensrinivasan naveensrinivasan temporarily deployed to integration-test November 22, 2021 18:31 Inactive
@github-actions
Copy link

Integration tests success for
[645f617]
(https://github.com/ossf/scorecard/actions/runs/1491601893)

@naveensrinivasan naveensrinivasan temporarily deployed to integration-test November 24, 2021 16:02 Inactive
@github-actions
Copy link

Integration tests success for
[f022e48]
(https://github.com/ossf/scorecard/actions/runs/1500162024)

@azeemshaikh38 azeemshaikh38 temporarily deployed to integration-test December 2, 2021 21:41 Inactive
@azeemshaikh38 azeemshaikh38 enabled auto-merge (squash) December 2, 2021 21:41
@github-actions
Copy link

github-actions bot commented Dec 2, 2021

Integration tests success for
[fc6b5c2]
(https://github.com/ossf/scorecard/actions/runs/1532692297)

@azeemshaikh38 azeemshaikh38 merged commit 9ab2b20 into ossf:main Dec 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@naveensrinivasan naveensrinivasan naveensrinivasan approved these changes

@azeemshaikh38 azeemshaikh38 Awaiting requested review from azeemshaikh38

@inferno-chromium inferno-chromium Awaiting requested review from inferno-chromium

@asraa asraa Awaiting requested review from asraa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@varunsh-coder @laurentsimon @naveensrinivasan @azeemshaikh38