GitHub Workflows security hardening

[emteknetnz]

Our CI builds only need read access to the repos to do their job ... except for when we do things like auto tagging?

Acceptance criteria

• Supported modules GitHub Action CI are updated to appropriate permissions.
• If possible, this is done in a central place.
• Update docs for gha actions e.g. gha-issue specifying the job scope permissions required to run the action
• The actions in the "Once the above PRs have been merged" below have been completed

Original PR

Note that this PR was made before the ACs were created. If it isn't fit for purpose, close it and create new PRs as appropriate.

• GitHub Workflows security hardening #10509

Workflow PRs

• ENH Add workflow permissions silverstripe-admin#1722
• ENH Add workflow permissions gha-ci#118
• ENH Add workflow permissions gha-action-ci#8
• ENH Add workflow permissions .github#224

Once the above PRs have been merged

• Assign back to Steve
• Create new branches and new tags
• Manually test that .github issue workflows work correctly
• Move to awaiting column for a while to see how things go over time
• When satisified that things are stable, update module standardiser to update workflow files on both repos (get same treatment as silverstripe/admin) AND gha actions (get the same treatment as ci.yml + action-ci.yml)
• Set all of the Action PRs below to ready and move to peer review column

Module standardiser PR

• ENH Add workflow permissions module-standardiser#46

Action PRs - Update docs

• DOC Document required permissions gha-run-tests#26
• DOC Document required permissions gha-merge-up#34
• DOC Document required permissions gha-generate-matrix#86
• DOC Document required permissions gha-dispatch-ci#13
• DOC Document required permissions gha-trigger-ci#7
• DOC Document required permissions gha-gauge-release#9
• DOC Document required permissions gha-issue#9
• DOC Document required permissions gha-keepalive#13
• DOC Document required permissions gha-update-js#27
• DOC Document required permissions gha-pull-request#13
• DOC Document required permissions gha-tag-release#23
• DOC Document required permissions gha-auto-tag#18

[emteknetnz]

permissions should be set to {} on workflow files and then add in as needed on individual jobs

In the case of shared workflows (ci.yml, action-ci.yml), set the permissions on the 'inner' shared workflow, rather that on the outer (such as framework ci.yml)

Create PR's to update workflow files in:

• silverstripe/admin
• silverstripe/gha-ci
• silverstripe/action-ci
• silverstripe/.github

Leave admin running for a few weeks to validate it's working correctly. Also manually run the "Update JS" workflow to confirm that works then delete created PR. When satisfied update module-standardiser to update the workflow files for repos - dispatch-ci.yml, keepalive.yml, merge-up.yml, update-js.yml

Also leave gha-ci working for a few weeks. Once we're happy with that use module-standardiser to update the gha specific workflow files - action-ci.yml, auto-tag.yml

Manually run .github workflows post merge to validate

You can use the following to work out the required scopes for API calls, use an finely grained token with zero permissions and access to some random repo

curl -sS -f -I -H "Authorization: token github_pat_abcdef123456" -X "GET" https://api.github.com/repos/myaccount/myrepo/branches | grep x-accepted-github-permissions

silverstripe/admin

• dispatch-ci.yml - contents:read, actions:write ... metadata:read* (can't/shouldn't need to set metadata)
• keepalive.yml - actions:write
• merge-ups.yml - contents:write, actions:write
• update-js.yml - contents:write, actions:write, pull-requests:write

gha-ci

• ci.yml jobs
  • context - none
  • genmatrix - none
  • tests - none
  • checkgovernance - none
  • patchrelease - contents:write <<<---- note this will affect ALL repos that use ci.yml
• auto-tag.yml - contents:write
• keepalive.yml - actions:write
• merge-up.yml - contents:write, actions:write

gha-action-ci

• action-ci jobs
  • ci none
  • gaugerelease contents:read
  • patchrelease contents:write
  • dispatchautotag actions:write

.github

• js-prs-issue.yml - issue:write
• keepalive.yml - actions:write
• translation-issue.yml - issue:write

permissions required for gha actions (not including gha shared workflows gha-ci and gha-action-ci)

gha-run-tests

• required_permissions: none
• uses_gha_actions: none

gha-merge-up

• required_permissions: contents:write, actions:write
• uses_gha_actions: gha-trigger-ci

gha-generate-matrix

• required_permissions: none
• uses_gha_actions: none

gha-dispatch-ci

• required_permissions: contents:read, actions:write
• uses_gha_actions: none

gha-trigger-ci

• required_permissions: contents:read, actions:write
• uses_gha_actions: none

gha-gauge-release

• required_permissions: contents:read
• uses_gha_actions: none

gha-issue

• required_permissions: issue:write
• uses_gha_actions: none

gha-keepalive

• required_permissions: actions:write
• uses_gha_actions: none

gha-update-js

• required_permissions: contents:write, pull-request:write, actions:write
• uses_gha_actions: gha-pull-request

gha-pull-request

• required_permissions: contents:write, pull-request:write, actions:write
• uses_gha_actions: gha-trigger-ci

gha-tag-release

• required_permissions: contents:write
• uses_gha_actions: none

gha-auto-tag

• required_permissions: contents:write
• uses_gha_actions: gha-tag-release

metadata
metadata isn't defined on https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
But it is defined on https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token and says that it's always read. "When the permissions key is used, all unspecified permissions are set to no access, with the exception of the metadata scope, which always gets read access."

Validation that the read tokens set on pull_request events cannot be elevated to write

Push from repo - allowed

• https://github.com/emteknetnz/test-thing/actions/runs/8697270388
• Test issue emteknetnz/test-thing#1 < issue created

PR from repo - allowed

• https://github.com/emteknetnz/test-thing/actions/runs/8697279846
• Test issue emteknetnz/test-thing#2 < issue created

PR from forked repo - disallowed

• https://github.com/emteknetnz/test-thing/actions/runs/8697308483/job/23852305832#step:2:39
• No issue created

Validation that raw git commands require a contents:write permission

Test raw git commands creating a branch with contents:write on push event

• https://github.com/emteknetnz/test-thing/actions/runs/8697588618
• Branch created https://github.com/emteknetnz/test-thing/tree/testbranch

Test raw git commands creating a branch with contents:read on push event

• https://github.com/emteknetnz/test-thing/actions/runs/8697659870
• Workflow failed and no branch created

Validation that raw git commands without git push only don't require any permissions

• https://github.com/emteknetnz/test-thing/actions/runs/8697807563/job/23853725351 - contents:read - pass
• https://github.com/emteknetnz/test-thing/actions/runs/8697874128/job/23853917611 - no permissions - pass

[GuySartorelli]

Initial PRs merged. Assigning to Steve for next steps

[GuySartorelli]

PRs merged