Harden GITHUB_TOKEN permissions for OSSF Scorecard #7599
Conversation
|
Hi @cji. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
samuelkarp
left a comment
samuelkarp
left a comment
There was a problem hiding this comment.
Would you mind testing out these workflows? You'd need to enable GitHub Actions on your fork and then trigger the on condition. (If you can't test some, like the Windows workflows that depend on Azure, just let us know.)
| GO_VERSION: '1.19.2' | ||
|
|
||
| permissions: # added using https://github.com/step-security/secure-workflows | ||
| contents: read |
There was a problem hiding this comment.
This one probably needs write on the release job.
There was a problem hiding this comment.
added permissions based on the required permission listed here: https://github.com/softprops/action-gh-release#permissions
Signed-off-by: Craig Ingram <[email protected]>
|
Thank you @samuelkarp! I've run the workflow tests on my fork (and I think the checks on this PR used the updated workflows too) and have everything working now after figuring out how to set up all the right things for Azure (the biggest pain point was my new free account didn't have the capacity limits to run them all at once). Doing this did catch a couple of things that needed to be updated, including the permissions you caught for the Containerd Release job, and copying the Windows integration test permissions into the periodic tests. Here are links to all the other jobs: (I also have passing Fuzzing, CodeQL, and CI tests but those are visible on this PR as well - though it looks like one runc test failed on my last push - not sure if it's flaky?) |
Wow, thanks for testing everything! (I wasn't anticipating that you'd set up the Azure jobs too.)
Yes, that particular test is flaky. I've kicked it to rerun. |
|
Great! thanks for your help. It was a cool learning experience setting up all the jobs. |
thaJeztah
added
cherry-picked/1.6.x
5 participants
Hi all! I took a look at the OpenSSF Scorecard results for the containerd repo and noticed it was getting a 0/10 for the GitHub workflow token permissions check.
I followed the guidance from the scorecard tool to apply the changes in this PR. Some were automated recommendations from their linked Step Security tool, and others I applied manually based on the warnings.
The summary of the changes is adding:
This is still getting a 0/10 for the check due to two remaining warnings (that I'll share) but the Aggregate score increased against my fork by 1.7 points.
The remaining 2 warnings are that the
build-test-images.ymlandimages.ymlworkflows havejobLevelpermissions withpackages: writewhich causes a large reduction in points unless the job "utilizes a recognized packaging action or command". Not sure if there's a scorecard bug here or if there's another way or suggestion you all may have to clear those issues up and get full credit here.Signed-off-by: Craig Ingram [email protected]