How to set GitHub Actions’s `permissions`?

How to set GitHub Actions’s `permissions`?:

 GitHub introduce permissions fields on GitHub Actions for security reasons.

The permissions field will help you to prevent software supply chain attack.

For example, codecov’s bash script is hacked recently.

This supply chain attack affects to CI like Circle CI, GitHub Actions.

GitHub Actions can limit each actions’s permissions.

For example, next permissios only allow the action to read repo’s content.

permissions:
    contents: read

The default permissions is write-all.
Of course, you can change the default workflow permission of the repository.

So, you need to do following to improve security of GitHub Actions.

  • Change the default permissiont to “Read repository contents permission ”
  • Write each actions’s permissions to yaml files

However, permissions is optional and it is a little of hard to set. Because, almost actions does not provides permissions guide.

@pkgdeps/update-github-actions-permissions

I’ve created a tool that update GitHub Actions’s permissions automatically.

This tools detect using Actions and add permissions field to your action yaml file.

Requirements: Node.js 14+

You can update your GitHub Actions via following command:

npx @pkgdeps/update-github-actions-permissions ".github/workflows/*.{yaml,yml}"

update-github-actions-permissions result

This tool supports 40+ actions.

If you found missing actions, please submit a pull request.

from Tumblr https://generouspiratequeen.tumblr.com/post/657305916028354560

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s