GitHub introduce permissions
fields on GitHub Actions for security reasons.
- GitHub Actions: Control permissions for GITHUB_TOKEN | GitHub Changelog
- Workflow syntax for GitHub Actions - GitHub Docs
The permissions
field will help you to prevent software supply chain attack.
For example, codecov's bash script is hacked recently.
This supply chain attack affects to CI like Circle CI, GitHub Actions.
GitHub Actions can limit each actions's permissions.
For example, next permissios
only allow the action to read repo's content.
permissions:
contents: read
The default permissions
is write-all
.
Of course, you can change the default workflow permission of the repository.
- Disabling or limiting GitHub Actions for a repository - GitHub Docs
- Security hardening for GitHub Actions - GitHub Docs
So, you need to do following to improve security of GitHub Actions.
- Change the default permissiont to "Read repository contents permission "
- Write each actions's
permissions
to yaml files
However, permissions
is optional and it is a little of hard to set. Because, almost actions does not provides permissions
guide.
@pkgdeps/update-github-actions-permissions
I've created a tool that update GitHub Actions's permissions automatically.
This tools detect using Actions and add permissions field to your action yaml file.
Requirements: Node.js 14+
You can update your GitHub Actions via following command:
npx @pkgdeps/update-github-actions-permissions ".github/workflows/*.{yaml,yml}"
This tool supports 40+ actions.
If you found missing actions, please submit a pull request.