Workflow security fixes (#351446)

NixOS · Oct 26, 2024 · 88bcaef · 88bcaef
2 parents 900a2d4 + 5bbbc3a
commit 88bcaef
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 18 deletions.
diff --git a/.github/workflows/codeowners.yml → .github/workflows/codeowners-v2.yml b/.github/workflows/codeowners.yml → .github/workflows/codeowners-v2.yml
@@ -1,17 +1,32 @@
-name: Codeowners
+name: Codeowners v2
 
-# This workflow depends on a GitHub App with the following permissions:
-# - Repository > Administration: read-only
-# - Organization > Members: read-only
-# - Repository > Pull Requests: read-write
-# The App needs to be installed on this repository
-# the OWNER_APP_ID repository variable needs to be set
-# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+# This workflow depends on two GitHub Apps with the following permissions:
+# - For checking code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#   - Install App on this repository, setting these variables:
+#     - OWNER_RO_APP_ID (variable)
+#     - OWNER_RO_APP_PRIVATE_KEY (secret)
+# - For requesting code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#     - Repository > Pull Requests: read-write
+#   - Install App on this repository, setting these variables:
+#     - OWNER_APP_ID (variable)
+#     - OWNER_APP_PRIVATE_KEY (secret)
+#
+# This split is done because checking code owners requires handling untrusted PR input,
+# while requesting code owners requires PR write access, and those shouldn't be mixed.
 
 on:
   pull_request_target:
     types: [opened, ready_for_review, synchronize, reopened, edited]
 
+# We don't need any default GitHub token
+permissions: {}
+
 env:
   OWNERS_FILE: ci/OWNERS
   # Don't do anything on draft PRs
@@ -45,8 +60,8 @@ jobs:
     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
       id: app-token
       with:
-        app-id: ${{ vars.OWNER_APP_ID }}
-        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
     - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:

diff --git a/.github/workflows/editorconfig.yml → .github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig.yml → .github/workflows/editorconfig-v2.yml
@@ -1,6 +1,8 @@
-name: "Checking EditorConfig"
+name: "Checking EditorConfig v2"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors

diff --git a/.github/workflows/manual-nixos.yml → .github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos.yml → .github/workflows/manual-nixos-v2.yml
@@ -1,6 +1,7 @@
-name: "Build NixOS manual"
+name: "Build NixOS manual v2"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

diff --git a/.github/workflows/manual-nixpkgs.yml → .github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs.yml → .github/workflows/manual-nixpkgs-v2.yml
@@ -1,6 +1,7 @@
-name: "Build Nixpkgs manual"
+name: "Build Nixpkgs manual v2"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

diff --git a/.github/workflows/nix-parse.yml → .github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse.yml → .github/workflows/nix-parse-v2.yml
@@ -1,6 +1,8 @@
-name: "Check whether nix files are parseable"
+name: "Check whether nix files are parseable v2"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors