mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-07 15:56:27 +00:00
40f722ec18
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.
Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level
Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
82 lines
2.5 KiB
YAML
82 lines
2.5 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
|
name: Action Security
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- '**/action.yml'
|
|
- '**/action.yaml'
|
|
pull_request:
|
|
paths:
|
|
- '**/action.yml'
|
|
- '**/action.yaml'
|
|
merge_group:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze Action Security
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
|
|
permissions:
|
|
contents: read
|
|
actions: read
|
|
pull-requests: read
|
|
security-events: write
|
|
statuses: write
|
|
issues: write
|
|
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Security Scan
|
|
id: security-scan
|
|
uses: ./security-scan
|
|
with:
|
|
gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Notify on Critical Issues
|
|
if: failure() && steps.security-scan.outputs.critical_issues != '0'
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
|
with:
|
|
script: |-
|
|
const { repo, owner } = context.repo;
|
|
const critical = '${{ steps.security-scan.outputs.critical_issues }}';
|
|
const total = '${{ steps.security-scan.outputs.total_issues }}';
|
|
|
|
const body = `🚨 Critical security issues found in GitHub Actions
|
|
|
|
${critical} critical security issues (out of ${total} total) were found during the security scan.
|
|
|
|
### Scan Results
|
|
- Actionlint: Completed
|
|
- Trivy: ${{ steps.security-scan.outputs.has_trivy_results == 'true' && 'Completed' || 'Skipped/Failed' }}
|
|
- Gitleaks: ${{ steps.security-scan.outputs.has_gitleaks_results == 'true' && 'Completed' || 'Skipped' }}
|
|
|
|
[View detailed scan results](https://github.com/${owner}/${repo}/actions/runs/${context.runId})
|
|
|
|
Please address these issues immediately.
|
|
|
|
> Note: Some security tools might have been skipped due to missing configurations.
|
|
> Check the workflow run for details.`;
|
|
|
|
await github.rest.issues.create({
|
|
owner,
|
|
repo,
|
|
title: '🚨 Critical Security Issues in Actions',
|
|
body,
|
|
labels: ['security', 'critical', 'actions'],
|
|
assignees: ['ivuorinen']
|
|
});
|