Description
This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows.
The GitHub Actions workflow has a GITHUB_TOKEN with write access to multiple scopes. Here is an example of the permissions in one of the workflow runs: https://github.com/spring-projects/spring-framework/runs/8233093764?check_suite_focus=true#step:1:19
After this change, the scopes will be reduced to the minimum needed for the workflow.
Motivation and Context
- This is a security best practice, so if the GITHUB_TOKEN is compromised due to a vulnerability or compromised Action, the damage will be reduced.
- GitHub recommends defining minimum GITHUB_TOKEN permissions. https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
- The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.
Signed-off-by: Ashish Kurmi akurmi@stepsecurity.io
Comment From: pivotal-cla
@boahc077 Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
Comment From: pivotal-cla
@boahc077 Thank you for signing the Contributor License Agreement!
Comment From: snicoll
@boahc077 thank you for making your first contribution to Spring Framework.
Comment From: vpavic
See https://github.com/spring-projects/spring-boot/pull/31344#issuecomment-1158989081.
Comment From: snicoll
Thanks Vedran, I had forgotten about that. I've changed the default permission.