Skip to content

Explicitly set top level permissions for each workflow #11326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 29, 2025
Merged

Explicitly set top level permissions for each workflow #11326

merged 2 commits into from
May 29, 2025

Conversation

stevenhorsman
Copy link
Member

Going beyond #11322, this explicitly sets the top-level permissions to just be read of contents and then individually adds the exceptions in as required, primarily for pushing to ghcr.io

@stevenhorsman
Copy link
Member Author

This is a workflow only change, so not tested in this PR, but has been run on the upstream branch in https://github.com/kata-containers/kata-containers/actions/runs/15305491231 and https://github.com/kata-containers/kata-containers/actions/runs/15305591234/job/43061977799

@stevenhorsman
workflow: Add top-level permissions
088e970 
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
@stevenhorsman
workflows: Add explicit permissions where needed
c34416f 
We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman stevenhorsman force-pushed the top-level-workflow-permissions branch from 9dcecd8 to c34416f Compare May 28, 2025 18:34
fidencio
fidencio approved these changes May 29, 2025
View reviewed changes
Copy link
Member

@fidencio fidencio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks @stevenhorsman ! (assuming green tests)

RuoqingHe
RuoqingHe approved these changes May 29, 2025
View reviewed changes
Copy link
Member

@RuoqingHe RuoqingHe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, thanks @stevenhorsman ❤️

@stevenhorsman stevenhorsman merged commit 3da213a into main May 29, 2025
48 of 49 checks passed
@stevenhorsman stevenhorsman deleted the top-level-workflow-permissions branch May 29, 2025 09:03
@stevenhorsman stevenhorsman mentioned this pull request May 29, 2025
Open
25 tasks
@stevenhorsman stevenhorsman changed the title Top level workflow permissions Explicitly set top level permissions for each workflow May 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fidencio fidencio fidencio approved these changes

@RuoqingHe RuoqingHe RuoqingHe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stevenhorsman @fidencio @RuoqingHe