ts-toolkit icon indicating copy to clipboard operation
ts-toolkit copied to clipboard
verified publisher icon readium

[security good practice] GitHub Action workflow, secrets.GITHUB_TOKEN now restricted by default (was permissive)

Open danielweck opened this issue 2 years ago • 2 comments

Please update your GitHub Action workflow YAML to include the permissions key and explicitly specify the read/write access rules your jobs actually require:

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

danielweck avatar Jan 31 '24 10:01 danielweck

Relevant code: https://github.com/readium/ts-toolkit/blob/659a3b289b63f48c7140c15a0366676b5d85986d/.github/workflows/size.yml#L8-L12

danielweck avatar Jan 31 '24 10:01 danielweck

In the Thorium project we need to create / delete / publish releases, and create / delete Git release tags. This is our GITHUB_TOKEN YAML configuration (as restrictive as possible):

https://github.com/edrlab/thorium-reader/blob/9d2bf56c181ec3da9634d30c12efdf067313efac/.github/workflows/main.yml#L9-L27

danielweck avatar Jan 31 '24 11:01 danielweck