Skip to content

Scope GITHUB_TOKEN permissions #4084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 8, 2025
Merged

Scope GITHUB_TOKEN permissions #4084

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/backport-pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ jobs:
create-backport-pull-request:
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout
uses: actions/checkout@v4
with:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/ci-main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ concurrency:
env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci

permissions:
actions: read
contents: read
id-token: write
pull-requests: read

jobs:
# Build and upload the Docker build image if necessary
acquire-base-image:
Expand All @@ -30,6 +36,7 @@ jobs:
id-token: write
contents: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout
uses: actions/checkout@v4
- name: Acquire credentials
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/ci-merge-queue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ concurrency:
env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci

permissions:
actions: read
contents: read
id-token: write
pull-requests: read

jobs:
# This job will, if possible, save a docker login password to the job outputs. The token will
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
Expand All @@ -31,6 +37,7 @@ jobs:
continue-on-error: true
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Attempt to load a docker login password
uses: aws-actions/configure-aws-credentials@v4
with:
Expand Down Expand Up @@ -60,6 +67,7 @@ jobs:
id-token: write
contents: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/ci-pr-forks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,26 @@ concurrency:
group: ci-forks-yaml-${{ github.ref }}
cancel-in-progress: true

permissions:
actions: read
contents: read
id-token: write
pull-requests: read

jobs:
# This job detects if the PR made changes to build tools. If it did, then it builds a new
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
# it uploads the image as a build artifact for other jobs to download and use.
acquire-base-image:
name: Acquire Base Image
if: ${{ github.event.pull_request.head.repo.full_name != 'smithy-lang/smithy-rs' }}
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down
12 changes: 11 additions & 1 deletion .github/workflows/ci-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ concurrency:
env:
ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci

permissions:
actions: read
contents: read
id-token: write
pull-requests: write

jobs:
# This job will, if possible, save a docker login password to the job outputs. The token will
# be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
Expand All @@ -31,6 +37,7 @@ jobs:
continue-on-error: true
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Attempt to load a docker login password
uses: aws-actions/configure-aws-credentials@v4
with:
Expand All @@ -45,7 +52,6 @@ jobs:
)
echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT


# This job detects if the PR made changes to build tools. If it did, then it builds a new
# build Docker image. Otherwise, it downloads a build image from Public ECR. In both cases,
# it uploads the image as a build artifact for other jobs to download and use.
Expand All @@ -62,6 +68,7 @@ jobs:
id-token: write
contents: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down Expand Up @@ -112,6 +119,8 @@ jobs:

semver-checks:
name: Check PR semver compliance
permissions:
pull-requests: read
runs-on: smithy_ubuntu-latest_8-core
timeout-minutes: 20
needs:
Expand All @@ -124,6 +133,7 @@ jobs:
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ jobs:
- action: generate-aws-sdk-smoketest
- action: generate-smithy-rs-release
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down Expand Up @@ -127,6 +128,7 @@ jobs:
- action: check-deterministic-codegen
runner: smithy_ubuntu-latest_8-core
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand All @@ -144,6 +146,7 @@ jobs:
runs-on: smithy_ubuntu-latest_8-core
timeout-minutes: 30
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down Expand Up @@ -188,6 +191,7 @@ jobs:
- action: check-aws-sdk-standalone-integration-tests
runner: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down Expand Up @@ -266,6 +270,7 @@ jobs:
test_aws_exclude: --exclude aws-inlineable
test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental --exclude aws-smithy-http-client
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout
uses: actions/checkout@v4
with:
Expand Down Expand Up @@ -343,7 +348,10 @@ jobs:
permissions:
id-token: write
contents: read
actions: read
pull-requests: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand All @@ -368,6 +376,7 @@ jobs:
if: ${{ !inputs.run_canary }}
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- run: |
echo "PR bot and canary cannot be invoked from a forked repository. Ask a maintainer to manually invoke them using your PR."
exit 1
Expand All @@ -387,6 +396,7 @@ jobs:
runs-on: ubuntu-latest
name: Matrix Success
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Verify jobs succeeded
# Pinned to commit hash of v1.2.2
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/claim-crate-names.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ jobs:
name: Check that workflow is running in main
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Main branch check
if: ${{ github.ref_name != 'main' }}
uses: actions/github-script@v7
Expand All @@ -35,10 +36,14 @@ jobs:
# This job will be a no-op if an image was already built on main by another workflow.
acquire-base-image:
name: Acquire Base Image
permissions:
id-token: write
contents: read
needs:
- main-branch-check
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand All @@ -60,6 +65,7 @@ jobs:
- acquire-base-image
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Install Rust
uses: dtolnay/rust-toolchain@master
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/credentials-verification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ jobs:
if: github.repository == 'smithy-lang/smithy-rs'
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout smithy-rs
uses: actions/checkout@v4
- name: Verify Crates.io Token
Expand All @@ -38,6 +39,7 @@ jobs:
if: github.repository == 'smithy-lang/smithy-rs'
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout smithy-rs
# To test the validity of the personal access token, we only need to perform checkout with the specified token.
uses: actions/checkout@v4
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/dry-run-release-scheduled.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ on:
# Runs 00:00 UTC every day
- cron: 0 0 * * *

permissions:
actions: read
contents: read
id-token: write
pull-requests: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to educate myself, what's the reason for pull-requests to be set to read when it was previously none? Does that mean the workflow needs to read metadata for a pull request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is because the dry-run release calls release.yml which in turn invokes ci.yml which needs the pull-request permission. The GH permissions of the parent job are inherited by the child job and even if that child job skips the step that actually uses that permission it still needs it from the parent.

Interestingly I believe it was previously set to write rather than none since our previous default token permissions were set to:

Read and write permissions
Workflows have read and write permissions in the repository for all scopes.

As a side note, I think I will probably have to increase the pull-request permissions to write since the prod release will need that to cut the backport PR and prod/dry-run release both share the underlying release.yml action definition. Going to attempt a prod release once this is merged to finalize those permissions.


jobs:
smithy-rs-scheduled-dry-run-release:
name: Scheduled dry-run release
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/dry-run-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,12 @@ on:
type: boolean
default: true

permissions:
actions: read
contents: read
id-token: write
pull-requests: read

jobs:
smithy-rs-manual-dry-run-release:
name: Manual dry run release
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/github-pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
if: github.repository == 'smithy-lang/smithy-rs'
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Checkout
uses: actions/checkout@v4
with:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/manual-canary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
name: Get PR info
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Get PR info
id: get-pr-info
uses: actions/github-script@v7
Expand All @@ -47,10 +48,14 @@ jobs:

acquire-base-image:
name: Acquire Base Image
permissions:
id-token: write
contents: read
needs:
- get-pr-info
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand All @@ -75,6 +80,7 @@ jobs:
- get-pr-info
runs-on: smithy_ubuntu-latest_8-core
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand All @@ -94,6 +100,7 @@ jobs:
id-token: write
contents: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/manual-pull-request-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,17 @@ on:
required: true
type: string

permissions:
id-token: write
pull-requests: write
contents: read

jobs:
get-pr-info:
name: Get PR info
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- name: Get PR info
id: get-pr-info
uses: actions/github-script@v7
Expand Down Expand Up @@ -45,10 +51,14 @@ jobs:
# it uploads the image as a build artifact for other jobs to download and use.
acquire-base-image:
name: Acquire Base Image
permissions:
id-token: write
contents: read
needs:
- get-pr-info
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/manual-update-lockfiles.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ on:
type: boolean
default: false

permissions:
contents: read
id-token: write

concurrency:
group: ${{ github.workflow }}-${{ inputs.base_branch }}
cancel-in-progress: true
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/prod-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ on:
required: true
type: string

permissions:
actions: read
contents: read
id-token: write
pull-requests: read

jobs:
smithy-rs-prod-release:
name: Prod release
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/pull-request-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ jobs:
outputs:
bot-message: ${{ steps.generate-diff.outputs.bot-message }}
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down Expand Up @@ -147,6 +148,7 @@ jobs:
contents: read
pull-requests: write
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v4
with:
path: smithy-rs
Expand Down
Loading
Loading