ci: reduce workflow permissions

Decrease security exposure by restricting what the code executing in the actions is allowed to do (in terms of GitHub operations).
2021-05-16 11:17:05 +03:00 · 2021-05-16 11:17:05 +03:00 · 6bc6ec323a
parent e2567a680e
commit 6bc6ec323a
4 changed files with 54 additions and 0 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -13,13 +13,19 @@ on:
    branches:
      - main
      - "[0-9]+.[0-9]+.x"
+
 env:
  PYTEST_ADDOPTS: "--color=yes"

+# Set permissions at the job level.
+permissions: {}
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 30
+    permissions:
+      contents: read

    strategy:
      fail-fast: false
@ -139,10 +145,13 @@ jobs:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
+        persist-credentials: false
+
    - name: Set up Python ${{ matrix.python }}
      uses: actions/setup-python@v2
      with:
        python-version: ${{ matrix.python }}
+
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
@ -164,19 +173,29 @@ jobs:

  linting:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
    steps:
    - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
+
    - uses: actions/setup-python@v2
+
    - name: set PY
      run: echo "name=PY::$(python -c 'import hashlib, sys;print(hashlib.sha256(sys.version.encode()+sys.executable.encode()).hexdigest())')" >> $GITHUB_ENV
+
    - uses: actions/cache@v2
      with:
        path: ~/.cache/pre-commit
        key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install tox
+
    - run: tox -e linting

  deploy:
@ -184,6 +203,8 @@ jobs:

    runs-on: ubuntu-latest
    timeout-minutes: 30
+    permissions:
+      contents: read

    needs: [build]

@ -191,22 +212,28 @@ jobs:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
+        persist-credentials: false
+
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: "3.7"
+
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install --upgrade wheel setuptools tox
+
    - name: Build package
      run: |
        python setup.py sdist bdist_wheel
+
    - name: Publish package to PyPI
      uses: pypa/gh-action-pypi-publish@master
      with:
        user: __token__
        password: ${{ secrets.pypi_token }}
+
    - name: Publish GitHub release notes
      env:
        GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }}
--- a/.github/workflows/prepare-release-pr.yml
+++ b/.github/workflows/prepare-release-pr.yml
@ -12,14 +12,20 @@ on:
        required: true
        default: 'no'

+# Set permissions at the job level.
+permissions: {}
+
 jobs:
  build:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read

    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
+        persist-credentials: false

    - name: Set up Python
      uses: actions/setup-python@v2
--- a/.github/workflows/release-on-comment.yml
+++ b/.github/workflows/release-on-comment.yml
@ -7,9 +7,14 @@ on:
  issue_comment:
    types: [created, edited]

+# Set permissions at the job level.
+permissions: {}
+
 jobs:
  build:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read

    if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))

@ -17,15 +22,18 @@ jobs:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
+        persist-credentials: false

    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: "3.8"
+
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install --upgrade setuptools tox
+
    - name: Prepare release
      run: |
        tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }}
--- a/.github/workflows/update-plugin-list.yml
+++ b/.github/workflows/update-plugin-list.yml
@ -7,22 +7,35 @@ on:
    - cron: '0 0 * * 0'
  workflow_dispatch:

+# Set permissions at the job level.
+permissions: {}
+
 jobs:
  createPullRequest:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
    steps:
      - name: Checkout
        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
      - name: Setup Python
        uses: actions/setup-python@v2
        with:
          python-version: 3.8
+
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install packaging requests tabulate[widechars]
+
      - name: Update Plugin List
        run: python scripts/update-plugin-list.py
+
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@2455e1596942c2902952003bbb574afbbe2ab2e6
        with: